Health Committee
Oral evidence: Handling of NHS Patient Data, HC 1105
Tuesday 8 April 2014
Ordered by the House of Commons to be published on 8 April 2014.
Supplementary written evidence from witnesses:
Members present: Mr Stephen Dorrell (Chair); Rosie Cooper; Barbara Keeley; Grahame M. Morris; Mr Virendra Sharma; Valerie Vaz
Questions 203-400
Witnesses: Kingsley Manning, Chair, Health and Social Care Information Centre and Max Jones, Director of Information Services, Health and Social Care Information Centre gave evidence.
Q203 Chair: Good afternoon, gentlemen. I should say that we are expecting a vote on the Floor of the House at 3.30 pm, so when the bells jangle, we shall disappear and then return. Will you introduce yourselves briefly?
Kingsley Manning: I am Kingsley Manning, chair of the Health and Social Care Information Centre.
Max Jones: I’m Max Jones, director of information analytics at the Health and Social Care Information Centre.
Q204 Chair: We had a session with you, Mr Jones, and with representatives of NHS England three or four weeks ago, and it was very unclear to the Committee then how the HSC information centre relates to the NHS information centre, the forerunner organisation, with a surprisingly similar sounding name and function. May I ask you to begin by explaining the extent to which HSC information centre has inherited the structures, people and decisions from the NHS information centre, and the extent to which its scope is different from, or the same as, its predecessor organisation?
Kingsley Manning: Certainly. As you know, we were formed on 1 April 2013 under the Health and Social Care Act. I suppose that we have three major and significant components. There was the old NHS information centre, which I will come back to in a second. We also took on board Connecting for Health, which at that point was part of the Department of Health, and we subsequently took on NHS Choices and the implementation teams around the local service providers—this is about the end of the national programme—from the strategic health authorities. To give you a sense of numbers, the NHS information centre employed about 500 people, Connecting for Health employed about 1,350 people, the Local Service Provider (LSP) from strategic health authorities had about 200 people, and NHS Choices was about 150 people. In July of last year with about 2,200 people, of whom 500 were from the NHS information centre.
Our broad activities under the Act are to provide information systems, including the physical information systems such as N3, which is the national network—the spine—which is a very key component in running the system for the collection, storage, analysis, dissemination and publication of information across the system as a whole. So we have inherited the duties and responsibilities of the information centre and its 500 people, although they have been rewritten in the Act, but that is one part of what is now an organisation of 2,200 people.
Q205 Chair: But have all the functions of the old NHS information centre been carried forward to the HSC information centre?
Kingsley Manning: Yes, although there is an important shift and change, which is that we have an explicit requirement under the 2012 Act to act in the interest of the health and social care system, whereas the health information centre collected information, and disseminated and published it, in pursuit of its function, so we have a much tighter and much more specific remit with respect to the basis of our actions. By the way, it is worth saying that the primary role of the information centre is around, for example, providing national statistics. We publish 400-odd reports a year on health, as well as publishing data sets, including those that we are going to talk about today, so it is a broad range of activities.
Q206 Chair: Leaving aside Connecting for Health and the other activities, what we are clearly interested in today is the availability and manipulation of information, and the controls on that manipulation and on access to information. That was previously a function of the NHS information centre and is now a function of the HSC information centre.
Kingsley Manning: It is.
Q207 Chair: And there are other activities in your organisation that were not in the NHS information centre. For the purposes of this inquiry into manipulation and controls on access to data, that was a function of the old information centre and it is a function of the new information centre.
Kingsley Manning: Yes.
Q208 Chair: So the next question is: what changes have been made in the governance between the old information centre and the new one, or are they, although under different statutes, for practical purposes very similar?
Kingsley Manning: I think, in practical circumstances, they are very similar, but the functional definition of what we are required to take note of has changed.
Q209 Chair: You said that the new law required you to focus on the system, but it was not clear to me what the old law was.
Max Jones: Perhaps I can quote from the original 2005 health and social care information centre directions. The document lists some generalised functions for the old IC, but it specifically states that it may exercise functions to do anything whatsoever “which is calculated to facilitate, or is conducive or incidental to, the discharge” of the centre’s functions. That is in contrast to the equivalent clause under the 2012 Act, which forces us to take account of being in the interests of the English health and adult social care system. It shifts the focus to the purpose being for the benefit of the system as opposed to being for the benefit of the organisation.
Q210 Chair: All right, but beyond that, there was no substantial change in the legislative formula for the information centre.
Max Jones: There was a significant expansion of many of the features that were outlined in relatively little detail in the 2005 Act, but were expressly stated in many of the clauses under the 2012 Act.
Q211 Chair: In terms of governance, there are 500 people in the new organisation who were inherited, by and large, from the old organisation, presumably.
Kingsley Manning: Just for completeness, the NHS information centre was a special health authority. We are clearly an arm’s length body of the Department of Health, so there was a governance structure.
Q212 Chair: But what patients or the policy community look to the information centre to deliver is access to information, perhaps subject to proper safeguards. The old information centre made, and the new one makes, decisions about that. The formulations have changed, but the basic approach has not.
Kingsley Manning: We would argue that, because of a series of contextual factors, if you like, the overall approach has changed. We have changed it by taking a different, more robust approach.
When I became chairman last June, it was clear that the approaches that had been adopted by the information centre were no longer entirely appropriate, given both the degree of data we were able to collect and a change in public expectations. It was also clear that some of the processes that the previous information centre had been operating were not as transparent or as consumer-friendly, if you like.
Q213 Chair: Well, now we are getting somewhere. What irritated some of us in the previous hearing was that, on more than one occasion, the answer offered to the question, “What are the controls around access to information?” was, “That was a decision taken by the previous organisation.” But actually, from the beginning of the old information centre, which I think was in 2005, it seems that, if we are going to develop broad confidence in the security around the handling of information, the narrative—to use that over-used word—that you were just suggesting, Mr Manning, was, “What used to be was not right, and we have taken a series of steps to tighten it up.” That is different from saying, “It has nothing to do with us, guv.”
Kingsley Manning: I agree entirely. As you know, we are undertaking a review to look all the releases by the IC. Our initial trawl suggests that it was acting in a completely proper process, but it was in the context of the time and of the rules as they were then.
I simply felt—I think our colleagues on the board feel—that times have moved on. The security threat and the volume of data are much greater, and the public’s confidence in public bodies to handle data—not just us, but across the whole public sector—has significantly changed. The processes that were run by the IC were proper in their time, but trying to define the difference between the Data Access Advisory Group (DAGG), Independent Advisory Group (IAG), Confidentiality Advisory Group (CAG) and Independent Information Governance Oversight Panel (IIGOP)—I will come back to all those acronyms later—is very difficult indeed. We did not have processes that were, as I said, consumer or citizen-friendly, and that was what our intent was from the start.
Q214 Valerie Vaz: Can I ask you quickly about the licences under the old system? Have they ended?
Kingsley Manning: You mean the agreements on data sharing?
Valerie Vaz: Yes.
Kingsley Manning: This will be confirmed in Nick Partridge’s review, which we will publish at the end of May, so the figures may slightly change, but I will give you what we know about it at the moment. We think that, as of April 2013, there were 249 agreements issued by the NHS Information Centre. Just to remind you—I am terribly sorry; this is overwhelmingly complicated—those data-sharing agreements applied to where we are issuing pseudonymised or identifiable data. This is where there is a theoretical risk of identification, so that is where we have data-sharing or data-reuse agreements in place. There were 249 in April that had been issued by the NHS IC of which, in April this year, there remain 112, so they are running off as we go forward.
Q215 Valerie Vaz: So there is an end date. Can you publish who has them?
Kingsley Manning: We will be doing so at the end of May. By the way, so that you can be clear about this, of the 112 that still have data-sharing agreements with us, none of them received any data during this year. What those data-sharing agreements will do is to cover the data that they were issued with during the period of the NHS IC, and we will ensure that they are still bound by the same requirements that were issued by the information centre at that point.
Q216 Barbara Keeley: I will ask a more detailed question about those shortly, but can we just go back to this NHS IC and the HSCIC, because there has been some confusion, which I have commented on in the Chamber? At the end of the previous session, Max Jones was asked by a Member who is not here about staff and decision makers transferring across. She specifically asked if some of the people who had been decision makers in the NHS IC were now decision makers in the HSCIC. You said: “the very senior management in the HSCIC is not the same as the very senior management that was in the IC.” That does not seem to me to be true, because I then had an answer from the Minister that three of the non-executive directors and two of the executive directors were previously members of the NHS information centre, including Dr Mark Davies, who had been in both organisations and who last year, and until recently, was chair of the DAAG. How did you come to make that comment? You have since written to us about it, and I have to say that I am not happy with your letter.
Max Jones: I did write to the Committee. In that previous discussion, we were talking about the senior management who had responsibility for decisions and accountability for decisions on data sharing. At the time of the Committee, the executives with responsibility for that were myself for data and information services and Rob Shaw—
Q217 Barbara Keeley: No, can I take you back to what you said? You said: “the very senior management in the HSCIC is not the same as the very senior management that was in the IC.” That does not seem to me to be true. Dr Mark Davies was a very senior manager, wasn’t he?
Max Jones: What I was attempting to say at that time was that if you looked at the very senior management of the old IC and the very senior management of the HSCIC, they are not the same. Specifically, in the area of data access and control, myself and Rob Shaw were the two executives with the responsibility and accountability for data and information sharing and Senior Information Risk Officer (SIRO) responsibility. At the time of the previous hearing, Mark Davies had attended his last DAAG meeting and was not the chair of DAAG for the meeting that took place two days later.
Q218 Barbara Keeley: The Member was not asking you about that day of the hearing; she was actually referring back to the releases to insurance companies—that was what we had been talking about. We had been following a track of questions about who had been responsible for data releases in the past. For many months, since he transferred across from the NHS information centre, Dr Mark Davies was chair of the DAAG and in that senior position.
Max Jones: Exactly, yes.
Barbara Keeley: In terms of data sharing, I understand that he went on the trip to the United States with the Secretary of State and was there when they signed the memorandum of understanding. He was clearly a very senior manager in that organisation.
Max Jones: But not at the time of the hearing when I made my statement.
Q219 Barbara Keeley: He was. It was 25 March.
Max Jones: He was not the chair of DAAG and he was not the senior information risk owner, who is the accountable member of the board with responsibility for signing off data-sharing contracts.
Q220 Barbara Keeley: I am afraid that is not satisfactory. The Member was trying to get a broad understanding of the people who were decision makers in both, because what was happening in that meeting was that a lot of wriggling was going on—
Rosie Cooper: There still is!
Barbara Keeley: There was a lot of saying, “It’s nothing to do with us, guv; this all happened in the past.” You answered the question in that way when this person was a very senior manager, to the extent that he accompanied the Secretary of State on a trip to the United States to sign a data-sharing memorandum of understanding, and, to me, it is astonishing that you should say that the person who had been the chair of the DAAG did not have that responsibility and that you are still wriggling to try to get out of that now. I am not happy with that answer, Chair; I just do not think that is acceptable.
Kingsley Manning: I am sorry. We are trying to be as transparent as possible.
Q221 Barbara Keeley: I don’t think so. I really don’t think so.
Kingsley Manning: May I just talk you through the history of this so that you can get a sense of it? When I was appointed on 3 June last year, I was the only director who was not an interim appointment. All the senior management and all the directors were interim directors. We therefore had a major transformation to undertake. Part of that was reorganisation of the management team and we took the view early on that the current management of the data-sharing arrangements and Information Governance (IG) functions needed to be changed. That is why we made Rob Shaw, who had worked for Connecting for Health previously, not the IC, the Senior Information Risk Officer (SIRO)—senior information responsible officer—and we made Max responsible for the data functions. So we changed dramatically, and that was undertaken in September. At that point, we knew that Dr Davies was redundant. He had been made redundant on the abolition of the information centre, and we put in place a plan to deal with that. He was in post. We were not in a position—
Q222 Barbara Keeley: Sorry—you had a plan to make him redundant last year?
Kingsley Manning: No, no. He was made redundant by virtue of the abolition of the NHS IC. It was not our decision.
Q223 Barbara Keeley: So you kept him on for eight or nine months?
Kingsley Manning: We kept him on because we needed to have cover on clinical governance and on clinical advice.
Q224 Barbara Keeley: In fact, he was a very senior manager, and he did accompany the Secretary of State on the visit when they shared the memorandum of understanding. And—
Kingsley Manning: He did. I was there also.
Q225 Barbara Keeley: Let me say a bit more. This is the person that you were making redundant, but you let him chair the DAAG, and he made a number of controversial decisions, including the decision out of committee to release the sensitive medical records of individual teenagers—
Kingsley Manning: I am sorry; that is not true, I am afraid.
Q226 Barbara Keeley: It was reported to be true—
Kingsley Manning: I think you are referring to the fact that he was asked to give advice by the Cabinet Office. He had actually worked for the Cabinet Office on the matter. He gave advice on the consent model that they were going to use. We never released any data and we have not been asked for any data by the Cabinet Office on this matter.
Q227 Barbara Keeley: This was reported last summer by The Guardian newspaper that the sensitive medical records of teenagers on the National Citizen Service were released. That was apparently “an out-of-committee decision” by the chair. Dr Mark Davies was allowed to make decisions out of committee as the chair, and that decision was apparently taken last summer.
Max Jones: I can clarify that Mark Davies did provide advice, as is one of DAAG’s functions, on the consent model, which was being considered by the Cabinet Office, but we have not received a request for that data, nor have we provided any data. The discussion that Mark had was referenced and recorded in the January—I think it was January; I’ll check in a minute—DAAG minutes.
Q228 Barbara Keeley: At least six months after the discussions took place.
Max Jones: That may be the case.
Q229 Barbara Keeley: So this is the person that you are going to make redundant—
Max Jones: No data was requested nor shared. Advice was requested on the consent model, which was given.
Q230 Barbara Keeley: What was requested was linkage of data, wasn’t it? It was linkage to medical data.
Kingsley Manning: No, he was asked by the Cabinet Office to give professional advice on the consent model they were considering. He gave that advice, which was a perfectly sensible thing for him to do. That was the end of the matter.
Max Jones: And that was recorded in the minutes of DAAG held—
Q231 Barbara Keeley: Yes, I have a copy of that in front of me. You talked earlier, and it is quite important, about transparency. To have recorded this six months after it happened and to then be trying to change something—I am not aware that The Guardian was challenged on the fact that data had been released. It seems there is a very hurried after-the-event style of things happening here, and that is not good for transparency. This is being talked about quite a bit. People’s confidence in what you do has been really undermined by this and the fact that there could have been any suggestion of linkage to medical records for those people taking part in the National Citizen Service. For heaven’s sake, there are all kinds of undertakings made to them as they sign up to that service, and quite rightly. They even have an opt-in for their personal data, so to even consider that, and not to have documented what was happening until six months after the event, just makes you look shady.
Kingsley Manning: I agree, but we did not have a data request. I absolutely agree, by the way, with your essential point, which is the sensitivity of linking these data in any way with receipt of data—benefits and all the rest of it. One of the things I noted in our press release last week was that we welcome the proposition under the Care Bill amendment that will bring Confidentiality Advisory Group (CAG)—the confidential advisory group—into this. One of the areas that we think they should look at is indeed the extent to which we share or should share data with other Government bodies. This is an area where there is a lack of clarity and a great deal of sensitivity. We know from our research, by the way, that one area where we have absolute sensitivity is in this. People are very, very worried about the use of their medical records in any way that might have an impact on their tax returns, their benefits payments, their housing, or any of these things. This is where we would very much welcome the advice of Parliament and CAG—the extent to which this is possible. At the moment, as you know, we have not released any data to DWP or any such body but we absolutely recognise that it is a key issue.
Q232 Rosie Cooper: Commercially, people have got that information. There are DVDs out there with all that information on, yes?
Kingsley Manning: Sorry, what information?
Q233 Rosie Cooper: You provided DVDs to external customers. I am sorry, but somebody else will ask you about that. There is information out there. We had an evidence session; well, I don’t suppose you would describe it as an evidence session, it was more a tutorial. I asked one of the people present whether he could locate my medical records. He said it would be illegal for him to do so but that if we got permission he would do it immediately. He was not making it up. He said he could identify all of us. I asked whether he could identify the Prime Minister’s and he said he could do so within five minutes.
Kingsley Manning: It is difficult to comment on this. First of all, we have gone through in great detail the process of releasing the data that we have been responsible for and we will follow that up with the data that are released under sensitive data. As you are aware, we release as part of the open data agenda a very large amount of anonymised data where it would be impossible to do that. The use of, or any attempt to use, any of the data we issue which is pseudo-anonymised data for the purpose you suggest would be clearly in breach of the law and would potentially be liable for a £500,000 fine.
Q234 Rosie Cooper: And if I am a big pharmaceutical company that’s going to worry me, is it?
Kingsley Manning: Yes, I think it absolutely would.
Q235 Rosie Cooper: Oh, rubbish! Where we need to get to you backing this up by saying, “If you’re a chief executive and anybody in your organisation misuses the information, then you should be liable for a prison sentence.” Until you do that, saying “We are going to fine you” is a load of old rubbish. If I were you, I would be ashamed to be chair of an organisation that even potentially allowed that to happen.
Kingsley Manning: The power to put people in prison is way beyond my pay grade—
Q236 Rosie Cooper: Absolutely. But while you sit there comfortably thinking that everyone is going to be good because we are going to fine them threepence—rubbish.
Kingsley Manning: We are absolutely servants of Parliament on this. If Parliament wants to change the regulations with regard to the release of data, we will clearly be happy to do so. We have put in place the safeguards and the processes that fulfil and meet our obligations. We have no record and we would be very happy to meet anybody who has evidence of people who have identified individuals using pseudo-anonymised data.
Q237 Rosie Cooper: My colleagues are here. I can categorically assure you that, providing we could give indemnity, there was a person who came here who said they could do it in minutes. Is that not right? Is it true or not?
Chair: It was what he said, Rosie. The Committee is also used to people saying things and expressing opinions as well as facts.
Rosie Cooper: Well why don’t we demonstrate it? How do I get permission to identify—
Chair: I think that is a question for the Clerk rather than the witnesses.
Q238 Valerie Vaz: You have obviously gathered from the number of sessions, Mr Manning—you were not here at the first session when we had Mr Kelsey, who does not appear to be here today. I don’t think he was invited. But you wrote to us, Mr Jones, with Mr Kelsey. Following on from my colleagues, we are not quite sure that the answers are very helpful. Could you turn to the letter and I will ask you for some information? This is very concerning and I hope this will be published on someone’s website—either yours or certainly the Health Committee’s website—so that people can see some of these answers and follow them up. The first is on the copyright on data used in the Institute and Faculty of Actuaries report. It is sad in some ways that it is going to be public but it looks like you don’t know what you are doing. A logo has been used and you didn’t know it was going to be used. Do you want to look at the answer?
Max Jones: Yes, I am just trying to locate that. I am aware of the answer that we gave. The organisation used our logo without coming to us to seek our permission to do so. They were entitled to have access to that data under the agreement which they had which was granted by our predecessor organisation. Under the terms of that agreement they were required to show a copyright statement in their publications.
Q239 Valerie Vaz: This is the difficulty, isn’t it? You say you didn’t know, but if there were proper procedures in place, they would know that they had to ask you, wouldn’t they?
Kingsley Manning: Under the data-sharing agreement, they should have done.
Q240 Valerie Vaz: Right, okay. Where is it? Is it in there? Is it in the data-sharing agreement that they should ask your permission?
Kingsley Manning: We are happy to share the data-sharing agreement with you.
Q241 Valerie Vaz: Is it in it, or not?
Max Jones: I don’t know. I am not particularly—
Q242 Valerie Vaz: I think this is what we are trying to say. [Interruption.] Hang on a second. You come before us. We have been elected by the public and are here to hold you to account. When things go wrong, as they appear to have done, we are entitled to ask you questions. I am absolutely appalled. I think the majority of us are, which is why you are back here again to try to work out why you don’t know what is going on in your organisation. This is a simple thing. It is either in the agreement, or it is not. They either have to ask your permission, or not; they cannot just use it. You have made it clear here that you don’t know. Is that right or wrong?
Max Jones: Well, they have to include a copyright statement.
Q243 Valerie Vaz: But you don’t know, because you said it in your answer.
Kingsley Manning: They are required to do so and they—
Q244 Valerie Vaz: And they didn’t. So, what have you said to them?
Kingsley Manning: They are required to use a copyright statement, and they clearly used the current logo when they should have used the previous one.
Q245 Valerie Vaz: Right, so people are going round doing things as they wish, without checking with you.
Max Jones: I don’t think you can equate which particular image and logo an organisation uses with the risk—
Q246 Valerie Vaz: Well, it is a stamp of approval. That is the key thing, isn’t it? It is your stamp of approval. You are taking people’s data, and they are being used in a certain way. That is the stamp of approval. What the public and we all expect is that there are proper procedures to ensure that the release of data is adequate and has proper protection. That is the point, isn’t it?
Max Jones: I think the public have a right to expect to see us do things that will encourage their confidence and help transparency. I can see that, in this case, this discussion does not enhance confidence in this area.
Valerie Vaz: Right, and this is what our job is, to do that.
Max Jones: Nor are we saying that, in this particular case, any data have been released in an untoward or illegal fashion, or that patient confidentiality has been threatened.
Rosie Cooper: Have you got a clue?
Q247 Valerie Vaz: On the Institute and Faculty of Actuaries, you mentioned that you are an arm’s length body, but how do you allow a Minister to go into the Chamber to make a statement that is wrong, and then she has to—[Interruption.] Oh, you don’t know. You are actually mentioned in her statement and her letter. Do you not know about what the Public Health Minister wrote to the Chair of the Committee on 3 March?
Max Jones: I don’t think I am sighted on that.
Q248 Valerie Vaz: You are. She said: “I was made aware on Friday 28 February that the information I had on hand during the debate did not include the latest clarification received from the Health and Social Care Information Centre”. That’s you, isn’t it: HSCIC?
Max Jones: It is.
Q249 Valerie Vaz: Right. She continues: “I therefore wrote to you on Friday to inform you of this and to seek your steer on how best to correct the statement that I made in the debate.” You don’t know any of this?
Max Jones: This isn’t ringing any bells.
Q250 Valerie Vaz: This is about your organisation. The Minister has gone into the Chamber. The Minister says: “The correct position was that the Faculty requested pseudonymised information…said they would publish this only as anonymous information, with all identifiers stripped out.” I could go on: “In handling this request, the NHS Information Centre”—the predecessor organisation—“did not treat this as a request for sensitive information.” I think you should have a look at this.
Max Jones: We are happy to do that and come back with a note to the Committee.
Q251 Valerie Vaz: Just to help me with the governance relationship and the accountability between yourselves and the Department of Health and the Minister, you don’t know that a debate is going on about care.data and information that discusses you. When there are questions coming in, do you answer them? Does the Minister ask you for information?
Kingsley Manning: We get regular requests from the Department of Health. We are not privy to ministerial statements before they occur.
Q252 Valerie Vaz: I am not talking about ministerial statements; I am talking information and facts.
Kingsley Manning: We will respond clearly to anybody who asks us for that information, including the Department of Health.
Q253 Valerie Vaz: Right. So you sit in your organisation and kind of have your own governance, but you don’t have any link to the Department of Health or the Secretary of State.
Kingsley Manning: We meet through a process of accountability through the sponsor Department. We do that periodically and, on a number of things, we work closely with them, but we are an Executive agency and an arm’s length body, and we do not have a day-to-day presence from the Department of Health in our offices. There is no necessity for it to have discussed this with us before it published it.
Q254 Valerie Vaz: Well, there is, because normally in the civil service, when there is a debate about something, civil servants will prepare a report, and find out the information and give it to the Minister, so that the Minister tells Parliament the correct position. That is not happening here, is it? A Minister can go into the Chamber and say something that is totally wrong and it does not really matter, does it—to you?
Kingsley Manning: I think it matters enormously.
Q255 Valerie Vaz: So what are you doing? I am staggered that you don’t know that this has happened. You do not know that a Minister has made an incorrect statement in the Chamber and has had to write to the Chair of the Committee.
Kingsley Manning: I am sorry. I was aware that it had been corrected by the Department. As far as I was concerned, we were not aware of the original statement and we were not asked to prepare it. We are not asked to prepare ministerial statements.
Q256 Valerie Vaz: So this is where I say that the governance and the accountability are falling down. You can stand behind being an arm’s length body, but you are operating separately with no accountability.
Kingsley Manning: We are accountable—
Q257 Valerie Vaz: You keep frowning, but I am trying to paint the picture for you. I know you have come from an organisation outside the civil service and you do not understand the public interest. I know you don’t—you can’t possibly from years and years of people being in the civil service. You are there as an arm’s length body to do what it is you like and forget about what happens to Ministers and the general public.
Kingsley Manning: I understand that you may not appreciate the current structure of the accountable bodies. We have an accountable officer in the chief executive, who is ultimately accountable to the PAC. We have an accountable relationship with our sponsor branch within the Department of Health, which results in us having a formal monthly meeting. I meet the permanent secretary on a monthly basis. That is the nature of an arm’s length body. We are accountable, then, through our attempt to be as transparent as possible to the public and Parliament.
Q258 Valerie Vaz: Our concerns are that you have got people’s public data—people’s absolutely important information about every single aspect of their lives. You have that, and you are an arm’s length body, and that is what concerns everyone. There is no accountability.
Kingsley Manning: Hang on a second. We are accountable, as I said, to the Department and to Parliament. We are here being held accountable. We are also governed—
Q259 Valerie Vaz: I don’t think you are here being held accountable. We have asked you to come back because we were unhappy about some of the answers you gave—about the shambles of the organisation.
Kingsley Manning: It is not a shambles of an organisation.
Q260 Valerie Vaz: It is. I haven’t finished; I can go on.
Kingsley Manning: May I just say that we are delighted to be here? As the Chair will tell you, I visited him in January asking to come and talk to you about the work of our organisation and to discuss with you our activities with the release of data.
Valerie Vaz: With the greatest respect, we do not want to talk to you or discuss; we want to ask you questions and we expect answers. If you had been here at the previous hearing, you would know that to every question we asked—basic questions asking for basic information about how an organisation is run—the answers were not available, hence this letter, and if you read this letter, it does not even say yes or no—it does not even answer the questions properly.
Q261 Barbara Keeley: There is some detail on this that I think is quite important. Part of the difficulty in media and the social media is that there is a real difference from your pronouncements of what you say is the situation with data and what the people out there—commercial organisations that have Hospital Episode Statistics (HES) data and already have large databases—are saying.
If we go back to the insurance actuaries—the Staple Inn Actuarial Society—these comments are from the report that it produced on the use of 188 million records taken from HES. It talked about the data as being “highly detailed”. We get an answer back saying that the data are in aggregated and anonymised form. Don’t forget that the HES database started off as an admin database for handling payments and information about patients. It was never set up to feed into the insurance industry, was it? After it had run all the things that it wanted for commercial reasons against hospital data, it said that HESID “does allow all periods of care for” a patient “to be identified and linked”. It lays out all the specific details there are in individual records: clinical information; demographic information, such as age and gender; dates of admission and discharge from hospital; location of treatment; and the area where the patient lives. In fact, it says that the data contained 47.5 million “unique HESIDs…compared to the English population” of 49 million. That is a very close echo of one for one in the records.
It is not the only one that says that sort of thing about this. Harvey Walsh has been running a database and says that it provides NHS data to the pharmaceutical industry. There was the issue a few weeks ago with the tool by the firm OmegaSolver, and there has been the issue about PA Consulting putting up all that massive 13 years of hospital episode data on to Google servers on the cloud and real worries about security there. All these people do not say that they have aggregated anonymised data; they say they have very detailed information. It comes back to the point that my colleague was making. What specialists are saying to us again and again is that it is possible to re-identify people. In fact, Dr Mark Davies said a couple of months ago, I think, that there is a small risk that if you have enough data, you can re-identify patients.
We have examples given to us in the House. An MP has had his nose broken five times and thinks that, in terms of his hospital records, it makes him a person who stands out. There are individuals in public life who have had well-publicised operations, incidents and accidents, about whom there will be a lot of data. What I read out to you that the Staple Inn Actuarial Society said is very detailed information. Yet you have given answers to Ministers that they have used—and which my colleague was talking about a few minutes ago—which make it seem as though this is not data of that type. The users are saying that the data is highly detailed: “We can build up an individual’s medical history across all episodes and we can link all their diseases”. That is what the data users are saying. So for a couple of thousand pounds you—or rather your predecessor—have put out 188 million records. This is being reported and commented on, and it is making people feel undermined.
You and Ministers are saying one thing, but the information out there is totally different from that. It looks very detailed. I have seen screen grabs from the patient analyser tool showing that very detailed picture. It almost feels possible to identify a person: when they were admitted to hospital, where they live, their age band and gender. It is very detailed information. Why this difference between a pretence that this is all aggregated and analysed—
Kingsley Manning: I am sorry, but we do not pretend that these are aggregated data.
Q262 Barbara Keeley: We were told in a seminar—and people outside here are saying—that it is possible to re-identify individuals on this data. We will come on to pseudonymisation—
Kingsley Manning: I am sorry, but you are talking about pseudonymised data, I am afraid.
Q263 Barbara Keeley: We need to know what is out there now. There is a very strong feeling—I subscribe to it—that this data is not protected enough and has been let go. It is out there. You mentioned that there were 249 commercial reuse licences, of which 112 are left, but some of the ones I mentioned are also selling it on to other people. We have had lots of examples.
Kingsley Manning: If they have a data reuse agreement, it is perfectly legal for them to do so.
Q264 Barbara Keeley: Okay. It may be that you have totally lost control of the data that has already gone. It is out there; it is in the cloud and it is being used on different forms of computer.
Kingsley Manning: Thank you for your explanation of that. We are required under the Health and Social Care Act to publish certain data and we are required to disseminate data—that is actually one of our functions. We do so in a manner that is in accordance with the regulations in the law, and overseen by the Information Commissioner.
Rosie Cooper: I have just written to him.
Kingsley Manning: We cannot make up the law as we go along. We act within the regulations and the law as it is. We accept—we are entirely straight about this—that there is a theoretical risk of re-identifying a small amount of pseudonymised data that we put out, but it would be illegal to do so. We have no examples of where it has been done, but I would be delighted to meet the individual who says they can do it. It is a theoretical possibility.
Barbara Keeley: But in fact—
Kingsley Manning: The detail of the data is, if I may—
Q265 Barbara Keeley: Can you just stop at that point, because you should almost say “yet”? The feeling we got in our seminar was that you have no instances of that happening “yet”.
Kingsley Manning: Oh, we are very concerned about that.
Q266 Barbara Keeley: It would be fair at this point, given what I have just said and the picture I have drawn, for you to admit that you have lost control of the data that has already gone out of the NHS—it is gone! You have had these 249 commercial reuse licences. Some of these people not just have the data for themselves, but are supplying it to others in the industry that they serve.
Kingsley Manning: And if they have a reuse agreement, it is legal for them to do so.
Q267 Barbara Keeley: Whether or not it should have been, some people—I know you are looking into this—have then loaded that very large amount of data that belongs to every patient in this country, or should do, on to Google servers. You can form your own opinion of how secure that is. This data has gone. You are not controlling that data at all.
Kingsley Manning: We control the process of release. In the register we published this week, we gave details of the legal basis for doing so. We have done so in accordance with the regulations and the law as it stands at the moment. We have put in place a series of data-sharing agreements and reuse agreements that are overseen by the Information Commissioner’s Office (ICO) and the regulations that make it illegal to re-identify anybody, even if the theoretical possibility exists, and require the use of the data to be clearly stated—there has to be a proper purpose for that—and for it to be destroyed once it is used. There is no question but that this data is immensely rich and allows you to look in great detail across the health and social care systems. That is one of its great asset values for the health and care system as a totality.
Q268 Barbara Keeley: But stop on the proper purpose because it is quite easy to see, and since you released the register the other day there are a number of examples given of companies. A lot of these are market-based ideas; they are not really driven by health benefits to the patient. One of the companies said that its usage was to examine the UK uterine fibroid market—the word was “market”. I quoted an example to the Minister in a recent debate I had of a company that was comparing prices and performance between consultants in a kind of GoCompare-type comparator of pricing per consultant. The DAAG released consultant data—sensitive data—to that last year. When you say “proper”, are you just including market uses? Is it any market use?
Kingsley Manning: The regulations as they stand at the moment do not allow us to make that type of judgment—[Laughter.] I am terribly sorry; you may find that amusing. The amendments to the Care Bill will enable us to ask CAG. I have already said in public that we would welcome the advice of CAG on these types of releases.
Q269 Barbara Keeley: But you have already made them.
Kingsley Manning: I appreciate that. We operate according to the Act as it has been passed. We make decisions on the basis of the current regulations. It is not our job to make a judgment on whether we agree or disagree with the nature of a commercial organisation. That is not a criterion on which we act.
Q270 Barbara Keeley: So you are prepared to release even sensitive data out to organisations that just want to do a price comparison website on different pay procedures between different hospital consultants. That was what you did.
Kingsley Manning: I am terribly sorry, but we are bound by the law and the regulations. Under the current regulations that is perfectly legal and legitimate. Indeed, it is arguable that it is a benefit to the health and social care system as a totality. That is an argument that you, Parliament and the public will have to consider. Whether there are real advantages in having efficient and effective suppliers such as Baxter or any of these other companies, and whether you want pharmaceutical companies to use the data to develop new drugs or services, are decisions that you have to make.
Q271 Barbara Keeley: But entirely commercial uses such as the insurance use and the price comparison use are two things. The third area of concern I have is that you don’t control who the end user is. All those companies that advertise their services just to an industry like Harvey Walsh and some of the others are just selling on—
Kingsley Manning: They have to have a specific agreement to be able to do that, and that requires them to take appropriate steps to safeguard the data.
Q272 Barbara Keeley: So have you got the information because I have asked for it twice, but not been given it? For all those 249 organisations with a commercial reuse licence, can we know who all the end users of our data are?
Kingsley Manning: No, because they are using it and putting it into additional services. So, for example, a company such as McKinsey or KPMG would have used it to support Monitor or the NHS TDA in advising on the transformation of health care services.
Q273 Barbara Keeley: All commercial clients.
Kingsley Manning: Commercial clients, but it is worth making the point that they were a significant minority. The majority of the people we released data to were part of the NHS and the public sector.
Q274 Barbara Keeley: What we are talking about is audit. Can you audit? There are apparently going to be audits. Can you audit all the data releases? Can you say for all the HES data where it has gone, who is using it and for what?
Kingsley Manning: No. And, indeed, in terms of the anonymised data, which we make freely available on our website—
Q275 Barbara Keeley: I am not talking about anonymised data; I am talking about HES.
Kingsley Manning: We are being specific. Pseudonymised data, in terms of the Data Protection Act, is treated as being anonymised; it cannot be identified.
Q276 Rosie Cooper: But it is not the same—that is playing with words. When you issue pseudonymised data, I am not as protected as when you issue anonymised data. A drug company wrote to ask me to get involved in a trial because I have got a dodgy knee—how does that work? They know who I am, but does that qualify as anonymised? I have asked the data commissioner to look at that.
This is sad, because huge health benefits could be derived from this. You talk about having permission for this or that, but, from the performance of the last team and what we are hearing today, the big message out there is that you have not got my permission or that of the Great British public. Not all of them actually received your letter. You have not got their permission to give their information out freely. The message is: if you want to protect yourselves from a bunch of clowns, you need to ensure that you opt out tomorrow—how sad is that? You are behaving like a group of people who have not got a clue. You can argue and pirouette on the head of a pin, but you have not really answered Barbara’s questions satisfactorily.
Can I ask you a question? When did you know that your logo was being misused?
Max Jones: I will have to come back to you with the exact date.
Q277 Mr Sharma: You must have some idea—whether it was a year ago, two years ago or two months ago. You cannot just say that you will come back to us.
Max Jones: It was not long before our previous Health Committee appearance. I will need to come back you with the date, but it—
Rosie Cooper: And what did you do—
Q278 Mr Sharma: I am sorry but, just to follow up, the misuse of that logo was an important incident, but you do not have an idea of when it happened.
Max Jones: I cannot here today give you the exact date—
Q279 Mr Sharma: We are not asking whether it was 7 April or 8 April, but you must know about which period you found out.
Max Jones: I would say it was within a week of our last appearance at the last Health Committee, so that would be around the middle of February 2014.
Q280 Rosie Cooper: Okay. So what did you do immediately after you found out?
Max Jones: I asked the team to investigate and come back to me with further details.
Kingsley Manning: And we are in the process of doing that.
Max Jones: And, in fact, we are doing exactly the same thing—
Q281 Rosie Cooper: You say “we are in the process of doing that”, but the misuse of the logo happened in February. Did you tell them to take it off their website immediately and say, “You don’t have our permission”? Forgive me—I can only be rude—but you are behaving like this is all happening outwith you: that these things are happening, you are doing your best and it is all okay; but it is not. And then you are telling me that you are safe to use the medical records. You have already messed up and misused the hospital records, and now you want GP records. This is nonsense. If you can’t get a grip, you can’t ask the public to trust you any further. It is absolute rubbish.
Chair: Would you like to respond to that?
Kingsley Manning: Are we going to have a question?
Q282 Rosie Cooper: Yes: why should we trust you when you haven’t got a clue?
Kingsley Manning: Well, you can trust us because, I think, first we have a world-class record in keeping data securely. There has been only one major breach with loss of HES data since 2009 and that was, in fact, in north-west London. We have a world-class record on providing data to support research. We have—
Q283 Mr Sharma: Sorry to interrupt, but you said about 15 minutes ago that you had no clue who was using your database.
Rosie Cooper: Where is the data going and who has got it?
Mr Sharma: You said earlier on, in response to one of my colleagues, that you had no idea who is using it.
Kingsley Manning: I was making a distinction. On our widespread publication of anonymised data, for example, last week we published on our website the prescribing data for December at GP level. That is freely available to anybody who wants to use it. We make no constraint on that; as part of our open data agenda, we are committed to make that available to whoever wants to use it. The same applies to about 400 other data sets—
Q284 Barbara Keeley: I stopped you earlier, though, because we are not concerned with the generalised data; we are talking about—
Kingsley Manning: Yes, but may I answer the point? That is overwhelmingly the amount of data that is made available.
Q285 Barbara Keeley: That was not what I was asking about.
Kingsley Manning: I realise that, and may I come back to that? That is why, specifically with regard to the sets of data that are covered by data-sharing agreements, I took the view that the process that we inherited was no longer robust. We have therefore been in the process of changing the management and the processes, and we have voluntarily adopted a process of being much more transparent about the process and about the data releases we have made.
Q286 Barbara Keeley: But what I was trying to get to was the concern. We are just looking for transparency and honesty here. On all the data that was previously released through these commercial reuse licences where there are end users—the question that the Committee wanted to put to you—you are unable to say what are the uses to which the data release under those licences may be put, what controls are in place and what information is provided—you don’t know. With the whole 13 years of the HES database and however many million records have gone out to one of these providers that then provides on to others—in the United States, this has involved putting up the data on Google cloud, and we are not sure of the security of that—you can’t say. You should admit it now. If you can’t tell us where all that data is and what all its uses are, it seems you can’t. You have already admitted that entirely commercial market uses—
Kingsley Manning: The control is through both the overriding regulations established within the Data Protection Act and the data-sharing agreements that we enter into with people, which specifically allow the reuse of data with safeguards with regard to anonymity.
Q287 Barbara Keeley: So you have no idea who the end user is. You have no idea if they are using it properly because there is no audit.
Kingsley Manning: And that is in accordance with the law and the regulations as they stand today.
Q288 Barbara Keeley: So, just to be clear, audit is not going to be possible for all the uses and all the end users. The data is out there. You have licensed people to use it and other people to buy it, and there is no control over that—it is just out there.
Kingsley Manning: I don’t accept there is no control. There is control established in accordance with law and the regulations as they are today.
Q289 Barbara Keeley: But you are not able to say who is using it and for what reason. You are not able to say that. There are end users out there.
Kingsley Manning: No, because we have a large range of organisations that we have been encouraging. Government policy has for a long time been to encourage the use of this data to advance both the health and social care system in this country and the economy. If, for example, we supply pseudonymised data to a drug company to help it to develop a new drug, we do not know the end users beyond that organisation, but that is perceived as being a task and a function that we have. It is done in such a manner that the data is safe and secure, and is not identifiable back to an individual.
You may wish to change the base upon which we act. We absolutely welcome the suggestion that we should submit these to the confidentiality advisory group. We have identified a number of cases where we think its guidance would be very helpful, including in this area. We would absolutely welcome that, but I am afraid we cannot make up the rules that we act by.
Chair: On that note, we need to go and vote. We shall be back in a quarter of an hour.
Sitting suspended for a Division in the House.
On resuming—
Q290 Chair: Let’s restart. I would like to put a different framework around the discussion. The introduction of care.data has been delayed by six months. The discussion that we have had so far this afternoon does not give me huge confidence that we are not going to be back having a discussion in September similar to the one we had six weeks ago. What are you doing to use the time between now and September to ensure that we do not simply have a rerun of the discussion we had six weeks ago, that we can be confident that the proper safeguards will exist and be applied, and that the public can be confident about those safeguards, when we come to the end of the delay period?
Kingsley Manning: With regard to care.data, it is perhaps worth pointing out that this is an NHS England programme, of which we are a supporter. The senior responsible officer is Tim Kelsey. I am happy to talk about what our role and function in that is, but I am not in a position to answer all your questions about the care.data programme; you need to address those to NHS England. However, I am happy to tell you what our role is.
Chair: Go on then.
Kingsley Manning: We have essentially four roles in this. The first is to provide the technology framework to do it for the extraction and collection of the data. We have already implemented that, and we have run it recently to collect data for Quality and Outcome Framework (QOF) payments.
We have a second interest in providing the IG framework for that. Once the data are collected and passed to us, we will be the data controller, so we will be responsible for ensuring its security and further use. As you know, the data to be collected are four months’ data from GPs—that is, when it is finally rolled out. The release of that, as it has been agreed with IAG, is very limited indeed. We have agreed to allow the data to be used only by NHS England and no one else, and our current arrangement is that it will have access to it only on our premises, so the data will not go any further than that at this stage.
We have a third interest, which is ensuring data security. We are concerned about the transmission mechanisms and making sure that they are secure between the GP suppliers, the intermediary software system and ourselves.
Our final interest is ensuring that the data collected are robust and fit for purpose. We are interested in their statistical resilience and whether they are of value in demonstrating that they can inform commissioning, research and other bodies. Those are the four roles we are undertaking.
In terms of supporting NHS England, as I said, we are reinforcing our view in terms of IG security, particularly in terms of the ability of GPs to feel secure in terms of the process to us. We are reinforcing our data controller role in terms of their further, onward transmission.
Q291 Chair: The core of your answer around care.data is that the regime for controlling the use and access to the manipulation of data will, for data received from GPs, be fundamentally different from the regime that has been applied up until now to HES data.
Kingsley Manning: The release is much more restricted, because that was the agreement made with the independent advisory group. That is the basis on which it has been agreed. We are comfortable with that. We think that there is a great advantage in being able to demonstrate that the system works and is secure, and that the data that are brought out and are linked to HES data will have demonstrable value. We recognise that, for many people—this point has been made by many people—there is a real sense of ownership towards GP data, which is particularly important; it is very sensitive. Taking a step-by-step approach is therefore entirely appropriate.
Q292 Chair: But it is odd, isn’t it? We are talking about the same patients, but we have one regime for controlling data—the access to the data and conditions on which it can be used—if it is gathered by a GP, but once the patient is in hospital, there is a completely different regime of control around the data generated in the hospital.
Kingsley Manning: It is odd, although under the NHS constitution any individual has the right to ask the provider—the hospital—to suppress their data. That is a right set out in the NHS constitution.
Q293 Chair: With respect, we are talking about the control regime around the use of patient data in anonymised or pseudonymised form, and all the discussion so far has been about the extent to which those controls are effective. You have been seeking to demonstrate to us that you believe that the control regime you apply is effective for HES data, but now we are saying that for GP data, the control regime in future will be fundamentally different.
Kingsley Manning: At its launch it will be fundamentally different, because that was the basis on which the independent advisory group agreed to the extraction going forward. That was the basis, as I understand it, that NHS England negotiated with the RCGP and the BMA and other representatives. I think that is entirely appropriate.
Q294 Chair: May I interrupt you at that point? If the control regime for GP-sourced data is regime A, why is it appropriate for the treatment of that data, sourced from a GP, to be subject to regime A, whereas if it is sourced from a hospital it is subject to regime B? From the patient’s perspective, why is that appropriate?
Kingsley Manning: I agree—it is an interesting question. One of the witnesses from the previous session, a gentleman from the BMA, made the good point that there is a particular nature of GP data: it is longitudinal, it is often in much greater depth, and it deals with individuals in a very different way than is appropriate to health care data. He made a powerful argument for why GP data had a particular characteristic that meant it needed to be dealt with differently. That is a core reason for doing this.
Q295 Rosie Cooper: You said it would be treated differently “at its launch”. What changes do you anticipate? In other words, are we actually saying that we will pretend to give you additional security until we get that information from the public and the GPs, and after that we will subject it to different tests? In other words, this is a con job isn’t it? Dick Turpin with or without a mask is still Dick Turpin.
Kingsley Manning: I don’t think so at all. I am trying to give you the information. What we have done is agree to a certain set of conditions that I think are entirely appropriate. As you are probably aware, there is considerable pressure from medical charities and researchers on the limitations—
Q296 Rosie Cooper: And that overrides my privacy?
Kingsley Manning: No, it does not override your privacy, because, as you are aware, you will have a right to opt out. That is entirely appropriate.
Q297 Rosie Cooper: We don’t have a right—
Kingsley Manning: You do have a right to opt out.
Q298 Rosie Cooper: We don’t. There is actually no right to opt out in law. The Secretary of State has agreed that any objection will be dealt with, but we do not have a legal right.
Kingsley Manning: You are quite right.
Rosie Cooper: If you can’t even get that right, then we have no chance.
Q299 Barbara Keeley: While we are on GP data and the different ways that is treated, may I ask you about free text within GP data, and the mining of free text that is going on at the moment? There are applications—mainly academic, but that is how it starts—that are extracting data from the free text of GP notes. The Minister was very clear when we had the Care Bill debate in the House that there would be no extraction of free text, but in fact we have heard from GP witnesses that there is already extraction and mining of free text. We talked about rich data; clearly there is a lot of rich data just held in the notes in GP surgeries. That is apparently not being done with patient consent. Patient consent has not been asked for for those applications. There is concern now about that.
Max Jones: We have been very clear and the independent advisory group published its decisions on the website transparently that for the extracts, using the GP extraction service for care.data, we will not extract those free text notes from GP consultations and there would be a limited set.
Q300 Barbara Keeley: I understand that; you said that last time.
Max Jones: If others are approaching that in a different manner I don’t think that is for me to talk to. If other parts of the health system—
Q301 Barbara Keeley: Just to be clear then, you were talking to the Chair about different regimes existing around different types of data. So there is no regime around that—there is no control of that application. Researchers are mining GP notes for free text just to see if it is useful. That is happening and it is happening without patient consent. How is that legal?
Max Jones: The HSCIC is not. I cannot talk to whether other organisations are.
Q302 Barbara Keeley: We were talking about the governance and regimes around this. So just to be clear: that doesn’t fall within your remit at all and it won’t do? That is just separate and carries on being so.
Max Jones: We don’t have jurisdiction over the actions of other national bodies.
Q303 Barbara Keeley: That is CPRD, isn’t it? Is there any plan to bring CPRD under the HSCIC?
Kingsley Manning: There are no plans that I am aware of. Just for clarity we do handle data on behalf of CPRD to ensure the pseudonymisation process. We act as a contractor for Clinical Practice Resarch Datalink (CPRD), but CPRD is part of the MRHA and not part of us. It operates under a 251 agreement, which are the regulations that allow it to operate. It is covered, in fact, by the confidential advisory group. So it is acting entirely under an appropriate regime but it is not something that is our responsibility.
Q304 Valerie Vaz: I am going to stick to care.data. I just wanted to remind you, Mr Jones, in your letter to us you knew that the logo was used in 2013.
Max Jones: You asked me when I, personally, became aware and I think that was the answer.
Q305 Valerie Vaz: I am telling you that the logo was used in 2013, which fits with the picture that we are not confident that you can run this whole process. Let us go to care.data—
Kingsley Manning: I am terribly sorry, but we are being asked to—
Valerie Vaz: I want to move on to something else, with the greatest respect, Mr Manning. We have a very short time—
Kingsley Manning: And we are happy to be as helpful as possible but you are casting aspersions on us which—
Q306 Valerie Vaz: No one is casting any aspersions—
Kingsley Manning: And you are not giving us an opportunity to respond.
Chair: Valerie, can you let Mr Manning respond to that?
Valerie Vaz: Mr Manning does not know anything about it. It is not his letter; Mr Jones wrote the letter. I was just pointing out that they stole your logo in 2013—
Max Jones: My understanding was that they published their report in 2013, but I was not—
Q307 Valerie Vaz: But they used your logo without your permission.
Max Jones: Correct.
Q308 Valerie Vaz: And you said you only knew about it in 2014?
Max Jones: Correct.
Q309 Valerie Vaz: Ergo, to use a Michael Gove phrase, what happened between then? Where were you? Shall we move on?
Chair: No, you have asked a question.
Max Jones: I was not personally sighted on that fact that that report had been published and the incorrect logo had been used.
Rosie Cooper: We are talking about the organisation that has our data and you haven’t got a clue.
Q310 Valerie Vaz: I suppose that it why we have got to the stage we have with care.data and the pause, yet again. I just want to know what has happened between now and then. Is this six months fixed in stone? Or are you waiting for everything to—
Kingsley Manning: I am terribly sorry—
Valerie Vaz: Can I just finish the question? Are you waiting for everything to be put in place and then you will proceed with care.data?
Kingsley Manning: That is not our decision. I have explained to you what our role in this is. The decision on the nature of the programme, the pause and what will be done in terms of the communication package is one for NHS England and its SRO. It is not for us.
Valerie Vaz: Okay. But NHS England isn’t here.
Chair: Well, we didn’t invite it to come; we asked the information centre to come.
Q311 Valerie Vaz: Are you working with it or not?
Kingsley Manning: Yes, we are, very closely. I have explained to you the role we are adopting.
Q312 Valerie Vaz: From your knowledge and what you understand, why don’t you tell us what you think is happening with the six-month delay? Is it a fixed term, or is it open ended, so that all the problems can be sorted?
Kingsley Manning: I cannot answer that question. I do not have that responsibility. You have to address the question to NHS England.
Q313 Chair: Is it not fair to record that the introduction of care.data was delayed for six months substantively because there was public concern about the security arrangements around the handling of existing data by the information sector?
Kingsley Manning: Is that a question?
Chair: Yes, it is a question. Is that not the principal reason?
Kingsley Manning: I think there was a whole series of reasons about the communication process, and there may well have been concerns about security.
Q314 Chair: In your relationship with NHS England, have you been asked to address those concerns about security during the six-month delay?
Kingsley Manning: I am very happy to talk about that. Yes, we have—in fact, much more than that. We believe—we have had long discussions with the Department of Health on this—that there are very serious, broader concerns about security, not just about care.data, because of some of the issues I raised earlier. We will be coming forward in the coming weeks with a series of proposals to increase significantly the stringency and robustness of the process we have around a thing called the IG toolkit, and about a series of measures that we were putting in place with regard to security across the system as a whole, not just care.data. We are extremely concerned about the current threats to data security across the whole health and social care system. We will be carrying forward a series of actions, as I said, to significantly increase our surveillance and measures to attempt to get an enhanced level of assurance across the system as a whole.
Q315 Valerie Vaz: Okay, let’s try it this way: what is your time frame? What time frame have you been given by anyone—Department of Health or NHS England?
Kingsley Manning: As of today, pending any further announcements—
Q316 Valerie Vaz: No, as of the time of the pause. Or today—anything. Today and the pause.
Kingsley Manning: As of today, we understand that the intention is to proceed in October, at the end of the six-month pause. That may be subject to further announcements by NHS England and further changes.
Q317 Valerie Vaz: But you are doing some work on this, aren’t you, which you have just outlined?
Kingsley Manning: Yes, I explained to you what we are doing. We have the technology to enable us to do this, in terms of extracting it, up and running. We have demonstrated it in connection with QOF. We are taking measures—we will come back to you if you wish with regard to what we are going to do—to enhance security across the system as a whole. As far as I am concerned, until there are any further announcements, we are planning on the timetable as announced at the time of the pause.
Valerie Vaz: Sorry, I didn’t hear the last bit.
Kingsley Manning: We are planning on the basis of what has been the last announcement, which is that it will be, I think, in October.
Q318 Valerie Vaz: So what is the end date you are working to? When do you expect it all to be up and running—you having done your work, NHS England having done their work, the Department of Health having done its work and the Secretary of State having done his work? What end date are you working towards? Have you been talking about that at all?
Kingsley Manning: Yes, I’m sorry, but the intention is that in October we will take the first run. That is what was announced at the time of the pause.
Q319 Valerie Vaz: Is that 1 October?
Kingsley Manning: We haven’t decided if it is the 1st or the 2nd.
Q320 Valerie Vaz: So it is flexible. It is not quite six months fixed exactly?
Kingsley Manning: We are planning on the basis that it will be delayed for six months and therefore it will be at the beginning of October. I cannot give you the exact date and perhaps I could not even give you the exact time, but it will be at the beginning of October under the current plan. I have to say I am not the responsible officer for this. There may be further changes and further developments and you need to address that to NHS England. It would be wrong of me to foresee what they may or may not do.
Q321 Valerie Vaz: This is what is concerning me even more, because you are now saying that you are not in control of it all, yet you are dealing with it.
Kingsley Manning: I am not in control of it, because I am not running the programme.
Q322 Valerie Vaz: Who is?
Kingsley Manning: Mr Kelsey and NHS England.
Q323 Valerie Vaz: Right. You are completely out of it?
Kingsley Manning: No, but they are the senior responsible officers.
Q324 Valerie Vaz: Please help us and the public. We do not know the jargon. We do not know DAAG or any of those other things. The majority of people in the big wide world do not understand all that. You have your meetings behind closed doors. We are not party to it. We are elected by people to ask you the questions. That is why I am asking you the question. Please understand that, because last time both NHS England and HSCIC were here you were answering our questions. Maybe I should address this to Mr Jones? I want to know—sorry, do you want to check something?
Kingsley Manning: I am checking through the original documentation, just to reinforce the point.
Q325 Valerie Vaz: Mr Jones, in your discussions with NHS England, you are obviously party to all this, aren’t you? You are not completely washing your hands of all this?
Max Jones: No, we are a strong part of delivering the care.data programme.
Q326 Valerie Vaz: I ask because if there are concerns that people have, they know they have time. I want to know whether this six-month period is a fixed time or whether it is flexible. Are you going to make sure that all the system is under control, that everything—transparency and accountability—is in place and that people understand what has happened to their data, if they wish not to opt out, by a certain time? Is there a certain time that they have to opt out by?
Max Jones: As for the system, as Kingsley mentioned, we have a working date at the moment that will be around 1 October. We will take a first extraction, but that date is subject to the consultations, discussions, stakeholder engagement, the advisory groups and the significant engagement that is taking place, led by NHS England. We are the organisation providing the technology and infrastructure with which this will be collected, hosted and analysed. In that environment, we have a long history of holding significant numbers of records and processing them. As Kingsley mentioned, we have just successfully extracted the quality and outcomes frameworks for GPs using this GP extraction software, and we are going through a process of rigorously developing the technology—implementing, testing, and making best use of this period of time.
But, as Kingsley said, the decisions about exactly how the communications will be run and how the decisions will be taken are subject to NHS England’s governance and senior responsible officer position, which makes it accountable for the management of the overall programme and the delivery of benefits that come from that investment on behalf of the taxpayer.
Q327 Valerie Vaz: Could you help us in terms of whether there are any contractual commitments in place that mean that you have to meet that date of 1 October?
Max Jones: I am not sighted on any.
Q328 Valerie Vaz: Should we be asking that of NHS England?
Kingsley Manning: You are perfectly free to do so. I do not see what commitments it would have, but I would be interested to know the answer.
Q329 Valerie Vaz: Clearly things must have been put in place before the pause, such as contracts. You said you were speeding on to data extraction.
Max Jones: For the data extraction, as we discussed at the last Select Committee, we already have an existing contract with Atos for the provision of that GP extraction software. That has been in place for some time. It went live successfully recently with the quality and outcome frameworks extractions. That provides a framework within which the care.data GP extracts, as per the independent assurance group specification, will be extracted.
Q330 Valerie Vaz: You mentioned Atos. Can I take you back to the letter that you sent us, just to clarify a couple of things? First, are you confident that it can run this kind of contract, given that it is pulling out of another Government contract?
Max Jones: We have a good record. I used to be part of the Connecting for Health regime. We had a good working relationship with Atos running the choose and book service. Its delivery and performance on this first extract with the GP extraction software over the last few weeks has been encouraging.
Q331 Valerie Vaz: May I turn to your answer? I asked about the costs of care.data, with particular reference to the Atos contract, and you set it out in two different paragraphs. You have given me a figure for the GP extraction service, but what about the care.data?
Kingsley Manning: It is worth pointing out—Max will give you the detail on this—the contract and the letting of the GP extraction service to Atos and the contract we entered into with the GP system suppliers predate the notion of care.data entirely. The contract was signed in 2012, well before care.data. It was a strategic development on behalf of the NHS information centre in terms of renewing a series of products that it was using for extracting data from GP systems—for example, for the quality management analytic service and to support QOF. So care.data was utilising an investment that had already been made and was already committed. The incremental costs of doing care.data are very small. They are actually, in 2014-15—Max will give you the exact figures in a minute—about £1 million.
Q332 Valerie Vaz: That is what I am trying to get at, because it is not clear. So it already has this contract for the GP extraction service and care.data is just going on top of that. You just said that there isn’t any additional cost—is that right?
Max Jones: No; care.data is obviously a service that involves the collection, processing, publication and sharing of information. The Atos contribution to that environment is to provide the framework within which we do the data collection. It does not store that data and it does not process that data, but it collects it and acts as the interface to the GP suppliers.
We already have the Atos contract in place, as Kingsley referred to, and the incremental work for care.data is to provide the interfaces to the GP information technology system vendors to allow us to extract that data. So that is the mechanism: we ask for that data, a response is provided, and then Atos packages that and sends it into the HSCIC. That cost, with the GP suppliers, is forecast in 2014-15 to be about £140,000.
Q333 Valerie Vaz: Is that in your written answer?
Max Jones: No, it is not; that is information that I am giving you today.
Q334 Valerie Vaz: What I got from the first paragraph was that you had not quite costed care.data separately from the GP extraction service. Can you not do that?
Kingsley Manning: That is what we have just done.
Max Jones: I have just provided you, I think, with the specific answer you were looking for. The wider cost, over an extended period of time—five or six years—of running the care.data service is in development at the moment. That strategic outline case is being developed and will be going through the approvals process in the coming months.
Q335 Valerie Vaz: So what is the figure of £1.17 million?
Max Jones: That was the cost of HSCIC staffing to date on supporting care.data.
Kingsley Manning: That is our direct staff costs.
Valerie Vaz: Chair, do you want me to deal with the patient objection?
Chair: Go on.
Q336 Valerie Vaz: What are you doing now? I am still not clear. Are you or NHS England responsible for the information provided to patients about care.data?
Kingsley Manning: The ultimate decision with regard to the nature of the objection process will be given to us by direction from NHS England, and the communication package is the responsibility of NHS England. Is that correct, Max?
Max Jones: That is correct.
Q337 Valerie Vaz: So it was responsible for putting out the leaflets—or not putting out the leaflets—and what happened after.
Kingsley Manning: It was managing that process, yes.
Q338 Valerie Vaz: Are you discussing how that will proceed?
Kingsley Manning: The subject of objections is one with which we are constantly concerned. The Chair made a comment about the distinction of using different data in different places. We—and, indeed, others in the system, including Fiona Caldicott—are extremely concerned about the fact that there is no consistency about the nature of objections. It is a very complex and confusing situation across a whole range of different subjects. We are attempting—we are ensuring that the technology is improved—to make the objection process easier at the GP end, and we are ensuring that that will be as simple and straightforward as possible.
I think that, overall, we recognise absolutely that the current position of what you object to, where and when—whether or not in the hospital and with the GP, and whether to consent with your summary care record or whatever—is confusing. It is technically challenging and difficult. Some of the older systems we have within the health and social care system simply cannot handle objections. As we already said, that is the case in the acute hospital system.
Q339 Valerie Vaz: What is the process, then? I think we have got the wrong people here. You are saying that it is NHS England that is handling all this.
Kingsley Manning: No, we are very happy to tell you what the processes are—absolutely delighted. All I am saying is that the rules with regard to objections are to be set under direction, not by us, but Max will be happy to tell you about the process.
Max Jones: Patients have the ability to record two types of objection. The first type of objection is to any detailed information about them leaving their GP practice to the HSCIC. They can record that objection by the GP recording the read code, which in this case is the N9u0. Once that is on that patient’s record, when the General Practice Expansion Service (GPES) software comes to ask for an extract of the data from that practice, patients who have recorded that objection will not have any patient-level data extracted through that GP extraction software, and HSCIC will not have any of that information that is held on the GP’s system for that patient. So that we can monitor objection rates, we will extract a count of those people who have expressed a type 1 objection.
The other kind of objection that people can record is known as a type 2 objection. There is a different code that can go into the patient’s general practice record. That is where the patient objects to any information containing identifiable data about them leaving the HSCIC. We will, of course, have to record that objection, held against an NHS number, to say that that particular person has asked us to respect their request to object to it leaving the HSCIC. We will extract the fact that that individual has registered that objection with their GP. That is how the objections process functions for the GP extraction of data under the care.data system.
Q340 Valerie Vaz: How you will test that across patient data flows? How are you testing whether that is going to work?
Max Jones: We will absolutely have to test that. It strikes me as imperative that we take very seriously our obligation to test these systems to ensure that they work.
Q341 Valerie Vaz: So how are you going to do that?
Max Jones: We will have to identify a set. We have a good history, particularly within the old Connecting for Health world, of implementing very rigorous assurance mechanisms. We have a significant amount of experience in doing that. As you would expect, we will be doing system tests, module tests and integration tests with fully tested scripts. We do volume and performance testing and we do regression testing. I would be very happy to give you chapter and verse on that, but it is a very rigorous process.
Q342 Rosie Cooper: It didn’t apply to hospital records.
Max Jones: I am talking about—
Rosie Cooper: I know what you are talking about, but it didn’t apply to hospital records, did it? Otherwise we couldn’t be in the situation that we are in.
Max Jones: I am not sure that I understand.
Q343 Rosie Cooper: Okay. I understand that you are talking about opt-outs from GP records, but you do not apply that kind of testing—those rigorous things you are talking about. You have just thrown all that information out there to people, because you don’t know.
Kingsley Manning: I am terribly sorry, but I think there is a slight confusion here. We do apply all these testing processes to everything we do. The result, by the way, is why our service-level systems of our spine operate at 99.97% up time. The record of our ability to deliver high-quality technology systems is in the fact that the lights are on and on all the time in the NHS.
Q344 Rosie Cooper: That was what you said to Barbara. You don’t know who has your information, so how can you say that? It is just crazy.
Kingsley Manning: And that is entirely consistent with the legal position. If you have any evidence that we have in any way breached our regulations or legal position, I would be very happy and keen to have it. Please give us some evidence.
Q345 Valerie Vaz: Could you just give us the timetable for that?
Kingsley Manning: The process is going over the next six months and indeed, as you are aware—
Q346 Valerie Vaz: I know it is going on over the next six months, but do you have a more specific timetable? Are you going to hit 1 October and say that you have not got all the way through? Do you have a timetable for this process?
Max Jones: I do not have that with me, but I would be happy to come back to you.
Kingsley Manning: If you would like to see the Gantt chart that sets out the regression testing, we will happily do it.
Q347 Valerie Vaz: We need this information—people need this information—so you will come back to the Committee and tell us what your timetable for this is.
Kingsley Manning: Yes, and if you would like to visit Leeds, we will take you through the testing regime and demonstrate it to you on the ground.
Q348 Valerie Vaz: May I just explain something? It is not just about a dialogue between you, me and the Chair; it is about members of the public outside knowing and feeling confident about it.
Kingsley Manning: Absolutely, and you are their representative.
Q349 Valerie Vaz: Maybe you are used to doing things in rooms behind closed doors, but we are here to ask you questions on behalf of the public.
Kingsley Manning: Actually, we don’t do things behind closed doors. We have actually opened the doors. We hold all our board meetings in public.
Valerie Vaz: Don’t take it personally; it is not about us.
Rosie Cooper: And all the information goes flowing out.
Kingsley Manning: We have been the first organisation ever to publish this information—and voluntarily, I may say.
Q350 Barbara Keeley: Can I ask you a further question about opt-outs? I have asked questions previously, especially of the Minister, and did not get an answer.
It is possible, given what we have covered earlier, that you will say to me that nothing can be done, but this question was posed: if a patient wanted to have their HES data records removed—as my colleague just said, that data is already out there—could that be done? I specifically want to ask you—
Kingsley Manning: Sorry, do you want us to answer that point?
Barbara Keeley: No. Let me just carry on. I specifically want to ask you about a form that is on your website: “Data Protection Act 1998: Withdrawal of consent to the processing of personal information for secondary care purposes”. It may be that that is the answer.
Max Jones: It is.
Q351 Barbara Keeley: Okay, because the junk leaflet that did not get to all households had no opt-out form. It made it sound like something you had to make an appointment for with your GP, which I think was disastrous. Online sources have an opt-out form, and then there is this withdrawal of consent form.
I have to say to you that, reading through this form, I think it is intrusive in the extreme. You have gone from a situation where there is no opt-out form and you say, “See your GP,” to this form, where you have to give a lot of information about yourself, including things that I don’t think people should be asked for. Beyond date of birth and NHS number if known and so on, I don’t see why e-mail addresses and telephone numbers are really necessary. It goes on to demand proof of identity, such as driving licence, passport or birth certificate, and confirmation of address, such as utility bill, bank statement or credit card statement—
Kingsley Manning: I think—
Barbara Keeley: Let me finish.
Kingsley Manning: We have a duty of care—
Barbara Keeley: Let me finish.
Rosie Cooper: Unless you are a commercial company—
Chair: Order. One at a time.
Q352 Barbara Keeley: Can you just let me finish?
I looked at this form and I found it difficult. We have been navigating around this system. After all these quite intrusive demands for information, we get on to an explanation of what happens if you request your patient information to be removed or anonymised. It states that “your data will be anonymised rather than removed”, but it goes on to say that there is a further step where you can request removal of your records from the National Health Application and Infrastructure Service (NHAIS). Then it says this most damning thing: if you do that, your GP would no longer wish to have you on their list, and you would not be called for screening for things such as aortic abdominal aneurysm, which is a serious condition.
Effectively, that is saying to people, “Yes, we can remove your records, but your GP wouldn’t want you on his list, and you wouldn’t be called for quite serious medical screening.” Surely there is something that falls short of that where a person can say, “I don’t want my records sold to these commercial companies, or to be used by insurance actuaries or comparison websites; I just want them used for my care.” I have asked the Minister this. You have produced a form that, I have to tell you, is quite scary. It is quite intrusive and it is quite scary. It says that if you fill it right to the end—it is quite confusing as to whether there are different steps here—your GP would no longer wish to have you on their list, and you wouldn’t be called for screening for serious medical conditions.
Kingsley Manning: Shall we deal with the points one by one?
We have to be clear about the identity of the individual requesting the removal, because it is perfectly possible to have identity fraud. People could seek to get someone else’s records removed from the system. Removal of records from the system has significant impacts on, for example, prescribing and NHS records, so we have to be clear that the individual requesting the removal of their records is indeed the individual they say they are, and that is why we ask for proof of identity. We cannot do this simply over the telephone. I am perfectly happy to take away the fact that you feel that we may go too far.
Q353 Barbara Keeley: I think you do. I don’t think you need e-mail addresses and telephone numbers.
Kingsley Manning: That’s fine, but you understand our problem. We have to know that you are who you say you are to remove your record, rather than someone else’s, because it would be fairly devastating if that were the case. We have a duty of care on that.
The issue regarding what we would call dynamic consent—giving consent for different purposes—is one that we are conscious of. We think that we need to move in that direction. It is technically challenging to enable us to do that, because it is both contextually and technically difficult, but I completely accept that the current consent models are too limited and that the objection process is too complicated. We need to be able to make it reversible as well.
If we have taken you out of our records, identifying you for screening is very difficult. If you don’t exist in our records, it is very difficult to undertake the risk profiling.
Q354 Barbara Keeley: Nobody is going to take that last step, are they? Nobody is going to take the step of saying, “Take me out of the systems,” if you are saying to people, “Your GP wouldn’t want you on their system any more, and you wouldn’t be called for screening.” What I am saying is that, surely, there is a step short of that.
Kingsley Manning: We find people for screening by checking the databases. For example, for bowel screening, we write to anyone over the age of 60. If you are not on our data record, because you have asked to be removed, I cannot find you. If I cannot find you, I cannot screen you.
Q355 Barbara Keeley: But the question I put to the Minister, which we do not seem to be getting to, is that I think there is a very strong drive for people to say, “I want my individual health records to be used for my care, and even for commissioning that care, but not for all these other uses.” I think that is a very powerful desire. Why shouldn’t people ask for that? The data is about them.
Kingsley Manning: That is a very valid argument. As I said before, I think that the current system with regard to objections to consents is confused, complicated and technically difficult. We need to have a debate, and Dame Fiona Caldicott has raised the same issue. We have clearly got inconsistencies about objections and consent in different places in the system. That is partly the way it has grown up over the years, and partly because in the UK we had a presumption in favour of implied consent, which is totally different from international practice. That model has been accepted for 20 years. There is a case for discussing whether or not, particularly in the cases that you suggest, that needs to be reviewed. That would be a matter of discussion in Parliament, and we think that it is another area where—
Q356 Barbara Keeley: Given the variety of comments that I have received since we have started to debate it in Committee and in the Chamber, I genuinely think that the implied consent model breaks down at the point at which people’s data starts to be used for marketing purposes. It is different if your data is being used by researchers and academics, and by people who have built up a career and have integrity. You are effectively allowing data to some outfits that are just a couple of guys who are trying to set up some sort of GoCompare website. A lot of people are not comfortable that their data are used for such things, and nor am I. You say that, constitutionally, you cannot make that distinction, but that is the point at which we lose confidence in the consent that was always there.
Kingsley Manning: I recognise that. As I have said before, I am very happy if you can demonstrate where we have not acted within the current law and the current regulations. In the press release that I put out last week, I absolutely recognised that there are significant areas where I believe that there should be a greater debate about the use of data and about individuals. I could give you—
Q357 Barbara Keeley: I agree with you, but how will that debate be held?
Kingsley Manning: Hang on a second, if I may answer.
I could give you the legal answer, which is that under the law, once your data are pseudonymised, it is no longer your data. I do not think that that is an acceptable argument any longer, because I do believe that there are individuals who believe, in principle, that even if the data are anonymised, the data are still their data, which relate to them as individuals. As soon as the regulations come into place, and CAG or a similar body is put in place, we will ask for the ethicists and the public to have a discussion about what rules we should apply in allowing access to what sort of data. I accept that there may well be individuals who, on principle, irrespective of any other argument, do not want their data used for these purposes.
We also need to set out the costs and consequences of doing so, because equally I am under a significant pressure to enable and support the UK economy, to improve productivity and to be open to new companies entering the UK business and economy, and this is a discussion—
Q358 Rosie Cooper: This is talk about money. It is all about making money.
Kingsley Manning: I am terribly sorry, Ms Cooper, but I am just explaining the policy framework within which I work. I have two separate drivers, one of which is an open data agenda, which has been pursued by all Governments in the past decade. That agenda is aimed at making as much data available for as many people as possible, in the belief that it will result in significant benefits in terms of improving efficiency within the health care system, and in the wider economy. Against that is a very principled position, and I understand it, of those who say, “I don’t want my data used for that purpose.” That is a totally legitimate discussion that should be undertaken under the new regime.
Q359 Rosie Cooper: Are you going to have that before or after October?
Kingsley Manning: As I have already told you, the position in terms of care.data is entirely circumscribed. We have already identified that that data is to be used only for very specific purposes; it will not go beyond that purpose.
Q360 Barbara Keeley: In terms of applications that I have seen for our hospital data to be used in the United States, the view was that we have gone a lot further with open data. After the launch of HES data over there, comments were made such that liberalisation has gone a lot further—“You guys over there in the UK are taking all the chances.” To be perfectly honest, I do not think we should be in that position, but that is just a comment. Can I take you back—
Kingsley Manning: Sorry, could I comment on that?
Barbara Keeley: Indeed, but I want to go back to pseudonymisation and I am worried about the time.
Kingsley Manning: One of the great richnesses of our system is the homogeneity of the NHS today, which means that we are uniquely placed in the richness of our data. All Governments have seen that as being a base upon which we can support and promote our health care and pharmaceutical industries. The health care research industry in this country is worth £5 billion a year, which is critical to the UK economy, and it is fundamentally linked to availability of data. The fact that we have that data is critical to the continuation of that research industry in this country. We must therefore balance issues such as privacy, access and the support of the industry. People have to have that debate, but we need to identify benefits from this data, as well as the issues you have raised.
Q361 Barbara Keeley: Let me take you back to the question about pseudonymisation that we put to Max Jones in the previous session. I must say that he was pretty dismissive of pseudonymisation at source, and we have covered it a lot more, but I understand that software is available and is already being used for pseudonymisation at source. Research databases are being used and manage to link data successfully—I know that the view that data must be linked is a driver. The view coming across to us strongly from some people is that, if done properly and irreversibly, pseudonymisation makes the position safer, changes the data disclosure and changes obligations under the Data Protection Act. It is just safer.
I put a couple of points to Max Jones—that was one, and the other was the idea of safe havens, where the uses that you just mentioned, Mr Manning, are not denied, but it could be that the data is held only in one place and applications are run against it. Can you deal with pseudonymisation at source? You really were quite dismissive of it in the previous session, but a number of people out there think that it is one of the solutions.
Max Jones: That was not my intention. I was trying to put across—I will try harder this time—the fact that we at HSCIC are committed to and see the benefit of pseudonymisation as a technique for trying to protect the information about individuals that we hold. As I think I said at the previous hearing, we take that obligation seriously, as we do the Information Commissioner’s code of practice on anonymisation.
Another thing that I think I said at the previous hearing was that HSCIC has instituted a review of the available pseudonymisation techniques. The fact-finding phase of that review is now complete, and a draft report is being compiled as we speak. That will go to a meeting of a steering group that is being constituted to help to guide the HSCIC in its use of pseudonymisation as a tool for both the collection and publication of information. I see both uses of pseudonymisation as really very important. I think that the first meeting of that group is scheduled for 2 May, so it is coming up very shortly. In no way have we reached a conclusion about whether pseudonymisation at source is the right or wrong answer, but we will have to take into account the technical feasibility of implementing such solutions and the costs of doing so, as well as the benefits.
Q362 Barbara Keeley: But they are already being used, aren’t they? You mentioned their being technically feasible.
Max Jones: There are applications of pseudonymisation at source at the moment, absolutely, and a number of proponents of that approach have been invited to take part in the steering group. However, we must ask some important questions about how pseudonymisation may impact on our ability to identify individuals accurately and to link their records, particularly for data sources that are relatively low in NHS number coverage. First, as we start to think further forward, about social care and not just health and GP data—I think GP data have a long history of IT in the management of those records—we have to take into account the long-term vision and how we might move to a new way of working, if that is something we choose to put forward.
Secondly, we have to recognise that we as the HSCIS have an awful lot of information. When we think about pseudonymisation, we are going to link these data we collect to other data sources—that is one of the things that care.data talks about—and therefore some of the protections that pseudonymisation potentially gives may or may not provide the same benefits when sending it to a national organisation that has an obligation to collect and link those data. We have to recognise that there are benefits for certain cases, and I think I can see that, but I do not want to prejudge the outcome. At the previous meeting, I said that I was not yet convinced that it was the right answer. There are philosophical issues to discuss. This is not a simple, “We don’t currently do it, so I don’t want to do it.” It is a genuine interest in getting it right.
Q363 Barbara Keeley: May I make a comment? I found a presentation given at a seminar recently that involved staff at HSCIC, I think. There is an overhead that describes why pseudonymisation at source is difficult. It says things like, “It’s redundant in a secure, well governed environment. It’s complex and expensive. It provides false confidence.” All the negative things—the view you expressed last time—seem to come from the view of IT managers, so from the technical perspective. The next overhead had the benefits, and they were all from the point of view of the patient: “Without pseudonymisation, you risk substantial levels of patient and citizen objections. Without pseudonymisation, you lose data and devalue your dataset. Without pseudonymisation, the GP patient relationship is damaged and care may be impaired.” I must say, I think the patient reasons are a lot more compelling than the IT management reasons.
Max Jones: I think there are compelling arguments on both sides of that debate and that is why we have brought together a steering group with a variety of opinions. For me, one of the key things is to ensure that when we do our pseudonymisation and publish, disseminate and share that information with other organisations, we are also implementing best practice in how we do that. We have to have both a sense of expertise and the humility to know that we should be asking other people for their opinions and making sure that we are doing the very best that we and the industry can do in that process. We already, when we extract information for HES for example, make sure that that pseudonym is based on not only the recipient of those data, but the recipient and the purpose to which those data are put.
Q364 Rosie Cooper: And you don’t know where the information is now.
Max Jones: That is an extra level of provision. I cannot remember which member of the Health Committee raised it, but we take a view in seeing how we can restrict that data in the way we publish it. You mentioned in the case you referred to that we provided age, not date of birth and we provided a geographical area, not a post code. There are steps we take to protect the information.
Q365 Barbara Keeley: It didn’t look that difficult to overcome. In the examples I have seen which the commercial marketers were putting out there, it looked as if it would be quite easy to bring in other pieces of data.
Max Jones: But it would be entirely illegal to do so and it would be against the data-sharing agreements.
Q366 Barbara Keeley: I don’t think many members of the Committee share your view that that is enough of a penalty. We tried when the Bill was going through to make it a criminal penalty and the Government did not accept that. Frankly, that is the solution.
Kingsley Manning: May I answer your very interesting point about the safe havens and also the notion that we do not release the data? You may be aware that we have already run an experimental process; we are essentially holding the data and allowing investigators to manipulate the data within our framework. We think that that is a very interesting way forward. The process of giving data away—I don’t know if we do it on DVDs any longer—is relatively antiquated. We are therefore talking to the research community. It may well be a sensible solution with regard to supporting commissioning, where we may look at the costs and feasibility, to move to a situation where we will effectively provide an analytical service where researchers and others can effectively undertake the research within our data lab. That is something we think is a very good idea. HMRC do it already, and we have looked at that, and also the Centre for Medicare and Midicaid Services (CMS) in the States, which is the equivalent body to ourselves. We think it is very good. I am meeting with the MRC in the near future to discuss it for researchers. This would—
Q367 Rosie Cooper: Forgive me; I agree with what you are saying right now and think it is fantastic, but why didn’t you do it before you allowed the information out?
Kingsley Manning: Because we started in 1988, when it would not have been feasible.
Q368 Rosie Cooper: This last tranche of information in the last year or so, the information that Barbara has been talking about, the HES information, why didn’t you say you would do it this way, the same way you are talking about now?
Kingsley Manning: Because we inherited the system as it is. The investment required to do this will be very significant. The technical challenges will be very significant indeed. I think that it is something that is very well worth investigating, and something that we are in the process of doing.
Q369 Rosie Cooper: Forgive me, this is like “Dad’s Army”. We have let the cat out of the bag. Can I ask you a quick question about the code of practice? At the last Committee session you talked about publishing it by the end of September and you were in the final stage of drafting the code. Why has it taken so long and when will you produce it?
Kingsley Manning: Perhaps I can answer this. When I became chairman on 3 June, I recognised that this was required. I was presented with a draft of the code of practice, which I considered reasonably unreadable from a layman’s point of view. We therefore rewrote it. In so doing, there was a view taken by the Department of Health and their lawyers that the document that we then produced did not meet the constitutional requirements of being a code of practice. What we did do was publish a guide to confidentiality which meets all the requirements of the code of practice. We published that in September last year with the support of the Secretary of State and of Fiona Caldicott. I am very happy to send you copies of this. It sets out all the requirements placed on the system as a whole in a highly readable way.
What we have subsequently done is agree with the Department of Health, with regard to the implementation of Caldicott part 2 and the code of practice, to form a whole system centre of alliance on IG promotion which will produce a code of practice which will cover the system as a totality.
Q370 Rosie Cooper: Will you extract data before that code of practice is finalised?
Kingsley Manning: May I just finish? Our current timetable on this—and this is particularly helpful in the context of the changes suggested to the Care Bill and the work we wanted on security—is that we will publish a draft code of practice for consultation at the end of June before we proceed with care.data. That will take into account the outcome of the consultation that I understand will be undertaken by Ministers with regard to regulations, also to the changes of policy that Ministers will consider with regard to the establishment of accredited safe havens.
Q371 Rosie Cooper: Not consultation. Will you actually have an agreed code of practice before you extract data?
Kingsley Manning: Subject to consultation, yes.
Rosie Cooper: May I just—
Chair: One more, Rosie, otherwise we are going to be here all night.
Q372 Rosie Cooper: When we talked about asking to opt out, you said you were going to monitor objection rates. Why would you do that?
Max Jones: The most important reason is for me to understand the statistical validity of the data which we have extracted. For example, one of my team is a head of practice for statistics within our organisation. We need to understand the extent to which we have a representative population geographically or a statistical size which is meaningful and allows us still to draw useful conclusions, and to understand the limitations of that data when we publish it.
Q373 Rosie Cooper: Okay. So far, if you want to opt out you are blackmailed because your GP won’t want you and you won’t be recalled—
Kingsley Manning: Hang on a second. The opt-out that we referred to in the HES data is separate from the opt-out in care.data. Your comment, I am afraid, is incorrect.
Q374 Rosie Cooper: Okay, that’s fine. Can you tell me the consequences of opting out of care.data, then?
Kingsley Manning: In terms of your care record, if you opt out of type 1, your data will not be transferred for the purpose of the care.data programme for secondary uses. It won’t affect, by the way, the transfer of data for direct care. It won’t impact on any direct service to you as a patient.
Q375 Rosie Cooper: So now let me join the two up, which was what I was trying to do. Forgive me; I wasn’t clear. If I want to opt out of HES, why would the GP want to use it? On your list there is the opt-out of care.data. Substantially, there is no effect, except that you are unable to know which GP practices have a higher rate. What will be the sanctions and how will GPs who have a high rate of opt-outs be treated?
Kingsley Manning: I absolutely cannot answer that, because their contractual relationship is with NHS England and that is a matter entirely for them. One of the reasons why we will want to know the opt-out rate is that you will want to know it. You will ask us what the opt-out rate is.
Q376 Rosie Cooper: In essence, we blackmailed patients, and now we are blackmailing GPs.
Kingsley Manning: We are not blackmailing GPs at all, and we are not blackmailing patients. Would you like to know what the opt-out rate is on HES?
Rosie Cooper: It is so difficult as to be virtually impossible.
Q377 Chair: There is not an opt-out rate for care.data yet, presumably.
Kingsley Manning: No, not on that, but in terms of the number of people who have acted to opt out, it is 3 opt-outs up until April 2013 and a further 14 opt outs since 1 April 2013.
Rosie Cooper: Absolutely. When I moved doctor, I got that form up, looked at it and went, “Oh my God!” I wrote to my GP and said, “Opt me out straight away from anything you will do, and I will get back with the rest of it.” I did not go mad about HES. Why? Because you have already released the stuff. So stop sitting there saying, “Oh dear, we have only got 14.” You opened the door and threw it out anyway, so there is no point in opting out.
Q378 Chair: May I bring us back to the point that you made a quarter of an hour ago? For the future, rather than doing it on DVDs or in some other way, you thought that it would be better if the data to which you were providing access remained under your control.
Kingsley Manning: We would essentially create a data lab. In effect, you rent time on our system—
Q379 Chair: You would create a data room and someone would have to use an identity to get into it.
Kingsley Manning: We are already doing that with a system called HDIS on an experimental basis.
Q380 Chair: May I ask you to develop that? What are the kinds of controls you think should be applied to people who want to use that kind of data? How do you operate that system now? If I want access to this putative data room—to use data for any form of research or other purposes—how do you decide whether that is an appropriate use of that data? In answering that question, may I ask you to reflect on whether the kind of ethics review that exists elsewhere in the clinical and academic world would be appropriate? Is that the kind of value judgment that you anticipate making in deciding whether someone should have access to this data room, or do you still rely on the proposition that the law says that this should be made available, with controls, to as many, or on as wide a basis, as possible?
Kingsley Manning: If we are looking into the future, rather than into the situation at the moment, as I have said several times, we welcome the proposed involvement of the CAG, which would bring precisely that ethical and moral dimension to these decisions. We agree entirely that that dimension has been absent in the past. Depending on the nature of the data you wanted, or of the processes you wanted to do—whether anonymised or pseudonymised—we would apply a series of tests as appropriate, and those tests would be advised to us by CAG. The advantage of doing this in a data lab is that we would have an audit trail, and that we could control access, what data was taken out and so forth. It is an attractive prospect, but the technical difficulties are significant.
Q381 Chair: With the technical difficulties, do you feel that it is possible to overcome them for both GP data and HES data?
Kingsley Manning: The current service that we are offering, essentially on a trial basis—experimentally—covers HES data.
Max Jones: It does cover HES data. At the moment, the only users of that HDIS service are in the public sector, not the private sector, during the trial period. We also make sure that all individuals who are users have been through individual training. They come to our training facility and have been trained on the site. They have not only user names and passwords, but a second-factor authentication to ensure that identity is assured to a higher level. However, we should review our experience of running that, which we have been doing for some months now. With the discussions that we have had with other Departments that are looking at, or have already implemented, such facilities, we will want to ensure that we take it forward in the right way.
Q382 Chair: So this data room principle is in effect already being operated—on a trial basis.
Kingsley Manning: We have a small trial on HES data already up and running. We are learning from that.
Q383 Chair: Is it the intention that, if the trial is successful, it would be the only way in which you would release data in future?
Kingsley Manning: It is too early to state that. We do not know the scale of the technical challenge, the costs associated or the investment required to deal with it.
Q384 Chair: What is the critical part of getting to the conclusions on that?
Kingsley Manning: We had a strategic programme in place—which, in fact, the care.data issue is a subsidiary of—on a renewal of our data management facility. We intend to put that into a business case—a strategic application for investment—later this summer. This issue of how we allow access to data for third parties will be a critical part of that.
Q385 Chair: “How” is a technical question of whether you release it or whether you provide access to its store, maintained by you, and the other question is the value judgment about who gets access to it.
Kingsley Manning: Yes, and that will be radically changed by the proposed amendments to the Care Bill, which will essentially replace the IAG and DAAG—the data access advisory group—process by a much stronger, more robust and more transparent process, which is much more akin to the process already in place for applications made for identifiable data under the section 251 process.
We very much welcome that. It would mean, essentially, that the same ethics body that advises on the application to the highest and most sensitive identifiable data for research purposes will be advising us with respect to all our data releases. I have already identified four groups of generic data releases for which we think that their advice and guidance would be very welcome indeed: marketing; passing data to third parties in government; infomatics; and information intermediaries. We would hope that they would be in a position to give us guidance on that within the time scale of the amendments going through the Bill.
Q386 Chair: If this was the way in which this process went in the coming months and years, would that lose any legitimate operational opportunities from the benefits that the research and the service planning communities see from the original care.data? Do the controls make the operational benefits more difficult to achieve?
Kingsley Manning: There are always going to be lots and lots of people who want to accumulate lots and lots of data in their own boxes. One of the reasons why we are interested in exploring the idea is because we are getting a plethora of databases being accumulated in universities and various other places. That gives us a technical problem because of the transformation errors that arise. These databases therefore are changed as they go through time. I suspect that we are always going to have individuals who say, “I want to have my particular database.” We will have to discuss whether that will be feasible; there will always be that tension.
My own view is that I think we can overwhelmingly provide the service required, both for service planners and for researchers, through this type of service. There are good international examples and, as I said, from HMRC. To some degree, we clearly need to pursue it.
Q387 Chair: If NHS England came to you during the summer and said, “We want to go ahead with care.data, but only on this basis,” what would be the impact on the timing of care.data?
Kingsley Manning: As I have already said to you, the only access that we will give to care.data will be to NHS analysts. Our intention is that they will have to come physically to our building to access the data so, in a sense, we have already taken that one step. I think that that would be a natural progression—to extend this process exactly on this pathway.
Q388 Chair: Coming physically these days sounds a bit out of date.
Kingsley Manning: I know; it is antiquated, isn’t it?
Chair: You will be presenting them with cardboard files next.
Kingsley Manning: If you go to the data centre of HMRC, you are physically there and unable to take in paper or anything like that. We absolutely control the physical security. I know it is antiquated, but the danger is not the technology, but the people. It is that sort of level of control.
Q389 Chair: Okay, but the principle of qualified access to a data warehouse controlled by you is, you are saying, already implicit in care.data.
Kingsley Manning: We have discussed it with NHS England, and we are all agreed that it is a very attractive option that we need to test to see whether it meets any objections from those who need to see the data and whether it has any operational impact. It clearly answers a number of the problems that have been raised today, and it is something that we think is well worth pursuing.
Q390 Grahame M. Morris: I apologise for missing the bulk of the sitting.
Following on from Mr Manning’s response about it being antiquated to allow whole-population datasets on a DVD, I think it is incredibly risky, if not reckless, to allow individuals to take those away—if not on a DVD, in whatever format—when copies might be made.
I do not expect you to comment on my opinion, but, leading on from that, has not HSCIC commissioned a report on cyber-security by Sir Ian Andrews? I think the Committee was advised that Sir Ian Andrews was going to report by October. On that basis, would it not be prudent to wait until you have that report on cyber-security before we press ahead with the data extraction? Is it your intention to wait for the report on cyber-security?
Kingsley Manning: I commissioned that report as soon as I became chairman. We have had Sir Ian’s initial recommendations and we are now setting up a formal sub - committee board. We have no less than 27 actions resulting from that, which we are implementing in great detail.
Q391 Grahame M. Morris: Will that report be published or has it been published? Are these recommendations interim recommendations?
Kingsley Manning: No. We start from the principle that we will never be satisfied with the security levels we can achieve. We see the threat rising all the time. We will never be satisfied, so we are putting in place a substantial strengthening of our own data security. I am happy to share the report. I am concerned, because it deals with security and may include matters that we do not want to have in the public domain, but I am sure we could share it with the Committee on an individual basis. However, I do not want to go through the detail.
Chair: I don’t think, if I may say so, that it is appropriate to share things on a confidential basis with a Select Committee. I don’t think that is appropriate.
Q392 Grahame M. Morris: Just on how we might restore public confidence in relation to whole-population datasets and the general extraction of data from GP records—the system that is designed to collect data on request from records held by GPs and to provide information to those organisations that are approved by the Department of Health or NHS England—would that model of extracting data on request rather than a blanket extraction help to provide greater public confidence in the care.data system?
Kingsley Manning: I think it is an issue that it is interesting to discuss. We have an independent advisory group and a very strong group of individuals who are advising on this. We perceive that that will likely evolve in a way that will provide us with ongoing advice. There are strong arguments about people who want particular datasets extracted for different purposes. We are clear that what gets extracted is not our decision; it is subject to that independent body, which involves ethicists, patients, the public and clinicians, and we have abided by their advice and will continue to do so.
Q393 Barbara Keeley: You seemed to indicate that there was a coming debate around some of the issues we have been talking about, and specifically that you were open to rationalising the opt-out forms.
Kingsley Manning: On our site?
Barbara Keeley: Yes.
Kingsley Manning: I will go away and look at it. Our website is incredibly complicated, to say the least—I think we all recognise that. It is extremely good if you plough through it, but if you are unlucky, you will end up downloading 10 million lines of prescribing data.
Q394 Barbara Keeley: It is the design of the form. I think there needs to be a totally separate aspect of the rather frightening prospect of your GP dropping you—
Kingsley Manning: No, I entirely accept that.
Q395 Barbara Keeley: Perhaps there could be steps: please remove me from this database; please remove me from that database. It also needs an explanation that it will not be deleted and what the process will be. We have talked about this a lot and I could not interpret it.
Kingsley Manning: You have raised an interesting point. When somebody says they do not want us to hold their record, do we delete it, and if we do not delete it, what do we do with it—where does it go? So there are some really interesting questions there. I am happy to take that away. We need to be much more transparent about that.
Q396 Barbara Keeley: We would like a response on that.
Kingsley Manning: That is fine, but it will take us some time. We will have to think.
Q397 Chair: Could you write to us reasonably soon, even if it is only a handling strategy, rather than inviting us to wait for a year? We may find in a year’s time that the nature of the Committee has changed.
Kingsley Manning: Yes. I wasn’t thinking of a year.
Q398 Rosie Cooper: When you write, will you explain why a GP might not want you on his list if you opt out? If you could explain that, it would be really interesting.
Kingsley Manning: I am happy to do that. I have a suspicion that it is because they will not get paid if you are not on the list. You won’t appear on the register, and if you are not on the register, they won’t get paid.
Q399 Barbara Keeley: But it is the way it is phrased. It just looks like a threat that if you opt out, your GP will drop you and you will never have any screening.
Kingsley Manning: I entirely agree; the language is not—
Q400 Rosie Cooper: That is ridiculous: you won’t get paid. You cannot threaten the people of this country with that.
Kingsley Manning: It always comes back to GPs’ pay.
Chair: That is outside the scope of this inquiry, I am pleased to say. Thank you very much.
Oral evidence: Handling of NHS Patient Data, HC 1105 42