[Committee name]

Health Committee

Oral evidence: Handling NHS patient data, HC 952
Tuesday 1 July 2014

Ordered by the House of Commons to be published on 1 July 2014

Written evidence from witnesses:

– Health and Social Care Information Centre and NHS England

Members present: Dr Sarah Wollaston (Chair); Rosie Cooper; Andrew George; Barbara Keeley; Charlotte Leslie; Mr Virendra Sharma; David Tredinnick; Valerie Vaz

Questions 401-564

Witnesses: Kingsley Manning, Chair, Health and Social Care Information Centre, Sir Nick Partridge, Non-Executive Director, Health and Social Care Information Centre, and Tim Kelsey, National Director for Patients and Information, NHS England, gave evidence.

Chair: Thank you very much for coming, and I am sorry that we have kept you waiting. I note that, unfortunately, in about 20 or 25 minutes we expect there to be a Division, so we may have to have a temporary break, so apologies in advance for that.

We welcome you, and I wonder whether you would like to start by introducing yourselves.

Sir Nick Partridge: I am Sir Nick Partridge. I am a non-executive director of the Health and Social Care Information Centre. Previously, until the end of October last year, I was chief executive of the Terrence Higgins Trust, the HIV and sexual health charity for which I worked for almost 30 years, and for which I was chief executive for nearly 25 years.

Kingsley Manning: I am Kingsley Manning. As of June last year, I am the chair of the Health and Social Care Information Centre.

Tim Kelsey: I am Tim Kelsey. I am national director for Patients and Information at NHS England.

Q401 Chair: Thank you. Perhaps we can kick off with you, Sir Nick. In your review, you talk about how, in future, you must be able to show that your controls are “meticulous, fool-proof and solid as a rock.” Would you set out for us how that trust can be regained? That is particularly so as, in your report, you rather worryingly identify cases of data releases that cannot be traced—no one knows where the data went.

Sir Nick Partridge: I hope that my report is the first step in rebuilding patient and public trust in the Health and Social Care Information Centre. All parts of health and social care and every data controller—be that within health services, local authorities or the private sector—recognise their duties and the vital importance of protecting the confidentiality and security of patient data.

If I may, I shall take a slight step back and put the findings of the review into the broader context. First, my review and, obviously, the much more substantial piece of independent work undertaken by PricewaterhouseCoopers, looked at one small part of what the NHS Information Centre did during its lifetime between 2005 and 2013. It was specifically to look at the major data releases where there were either pseudonymised or identifiable data. Obviously, any identifiable data would have got through section 251 approval, but it was looking specifically at that.

My report was not a history of the NHS Information Centre. It did not cover all the very good work that it did in highlighting and identifying issues of concern to health and social care. It did not cover the over 1,000 reports that the Information Centre published on broad health issues in tracking, say, the changes in mortality, in tracking what we all talk about now—the ageing population, the growth in diabetes, the issues around obesity. All of those were the subjects of reports that the NHSIC delivered during its lifetime.

Similarly, my review did not cover all the broader issues about changes in informatics, changes in technology and the growth of big datasets, nor did it look at the real pressure that the Information Centre was under to deliver as much data to as many people as possible. That was outwith what we were looking at. What we were looking at specifically were the processes and procedures in place to guard and protect patient data, but also to make sure that the data could be used to the benefit of health and social care, be that in research or in the design and understanding of need for services now and in the future.

Within that, you are right that PricewaterhouseCoopers found that the information governance arrangements, the processes and procedures, were not followed as well as they should have been. It did find two instances where it could not, on its deep dive, find out where those data had gone. I am pleased to be able to report to you, as I did on “World at One,” that both of those data releases have now been resolved. One was an internal issue, where the request was originally not properly marked up and then could not be properly chased as a result of not having the right name in it; but data actually did not leave the Information Centre. It was an unresolved case: it should have been closed at the time but was not.

Q402 Chair: May I clarify that point? Somebody requested data and they were not released?

Sir Nick Partridge: No. It was an internal generation of a request for data that it thought was going to come in, but it did not, so nothing happened.

Q403 Chair: There was no request.

Sir Nick Partridge: No; it just did not go anywhere.

Kingsley Manning: This was in the time when Northgate was processing the data, and it effectively created a data release record in error. We have now confirmed that with Northgate. There was no data release.

Sir Nick Partridge: The second release was for the purposes of cancer research. There, the issue was about the named individual in the PCT, where there was a slight difference in her name. There was a phonetic difference in the name. That has now been resolved and identified, and the right processes and procedures were in place.

There is no instance now where we, as the HSCIC, cannot trace where data went. You have seen that, attached to my report, is the full listing of the 3,059 data releases that the Information Centre made. Every single one that contained either pseudonymised or identifiable information was identified, has been listed and is in the public domain. If anyone is concerned about where their data, in anonymised or pseudonymised form, went, they can look at that listing.

The other thing that I want to raise is the nine cases for research where we found that, because of changes in the law, they were no longer properly authorised. You will find details of those in the appendix, but I thought that it might be helpful for the record to remind us what those nine studies were, because they are important.

Certainly, I was concerned in undertaking this review that the purpose, from my perspective, was to ensure these data, which can be so rich, are used to improve the health and social care of people in England. I know the importance of that from my work at the Terrence Higgins Trust, where personal data around HIV and sexual health are highly sensitive. However, I also know that without really good epidemiological data we would not have understood the rapid spread of HIV and the way that it impacted on particular communities. Without the enormous research effort by the Medical Research Council, across industry and within universities, we would not have seen the development of the drug treatments that keep so many of my friends and colleagues alive today. I am crucially aware of the very real difference that research makes in a whole range of areas, be it in how services are designed and delivered, how they are funded, how we understand future trends and so on.

I thought it might be helpful for us to remind ourselves that these are nine cases where, sadly, the ONS gateway was not properly in place. They were suspended because they were all historical studies that were originally fully covered by section 60 of the Health and Social Care Act 2001, but their approvals were not updated following a legislative shift in 2006. They include the Institute of Child Health, with a study to track and report on patients who have received or who are currently receiving growth hormone therapy. There is the University of Cambridge, with the European prospective investigation into cancer, a study that investigates the link between food consumption and cancer. There is the University of Oxford, and the Oxford register of early childhood impairments, a study that uses information for planning services and support for children with disabilities such as cerebral palsy, deafness and blindness. There is the Imperial college healthcare trust, and its longitudinal mortality study tracking patients undergoing cardiothoracic surgical procedures at Hammersmith hospital. The University of Oxford—

Q404 Chair: May I stop you there? You are satisfied that all of these were for bona fide research purposes.

Sir Nick Partridge: Yes.

Q405 Chair: Perhaps you would supply us with a list.

Sir Nick Partridge: Okay. I shall provide a list.

Q406 Chair: I refer to a point that you made earlier about the importance of research to the Terrence Higgins Trust and those whom the trust represents. Do you have some concerns about data on sexually transmitted infections being excluded from care.data?

Sir Nick Partridge: I know that my colleagues in the National AIDS Trust recently produced a report, which I will happily send to you or ask the trust to send to you, where it raised exactly that point. There are issues specifically for HIV around whether there is going to be any significant disadvantage to people with HIV because data are not being collected. I know that Tim has heard of similar concerns being raised by other patient groups—around mental health, for example and what is kept within GP records.

There is a wide range of patient opinion, and people with HIV expressed this very clearly to me when we were looking at the development of the summary care record. The summary care record, as you will recall, has the particular medications on it, and of course, if you are on AZT or Truvada, then there is only thing that you can have. There was a split in opinion between those with HIV who absolutely wanted those data on their summary care records in case they were in a different city and fell ill or had an accident and ended up in A and E; they wanted those doctors to know the medication that they were on. On the other hand, there were those whose fears around confidentiality and anonymity were so great that they were prepared to take the risk of clinicians not knowing what treatment they were on. There is that range.

Q407 Barbara Keeley: I can understand you talking about research organisations and the importance that data sharing has to research, but that is not the problem for the public. It would help us today if we moved away from the things that the public are reassured about and on to the things that the public are not so happy about. The language that you use is at the pinnacle of understatement; I used to work in IT for a number of years, and I think that this is the most appalling mess.

One thing on which I really want to take issue with you is that you say that “no individual ever complained that their confidentiality had been breached as a result of data being shared.” You made that point about the NHS Information Centre, but individuals have complained. I have received a number of comments on social media from people who have made complaints, and I shall mention one or two cases.

There was a serious case in 2005, when the NHSIC was going—the case of Helen Wilkinson, which was debated in the House. This is an example of the things that can go wrong. Her patient records had a wrongly coded piece of information that recorded her as an alcoholic and having had treatment as an alcoholic. She was an NHS practice manager, and, having a career with the NHS, she was very concerned that incorrect information had been recorded about her by UCL hospital and then sent to a private company that was accessing those records. In the very earliest days of this activity, which you talk about in your report, there was an absolutely profound example of what can go wrong.

Given that one example of what can go wrong, of course other people have concerns too. On the point that you were just making to the Chair, I have had a heartfelt note from a patient—nothing to do with me as an MP—who said that he had gone to his doctor that day but not told the doctor the full facts about himself because he was so concerned that what he wanted to say, what he would have said, would find its way into the patient record. In the case of Helen Wilkinson, she withdrew entirely from the NHS, so that all her records were cancelled, and it was a big issue that was pursued in the House and in Downing Street in 2005. It is not the case, and it is inappropriate to say, that people have not complained.

I heard yesterday from somebody who has complained to the Information Commissioner as a data subject. He made a complaint about the release of data and health records to insurance companies, which this Committee talked about a few months ago. In May 2014, the Information Commissioner told this person, a Mr Baines, that it was already aware of the issue and was investigating, saying “we do not necessarily require individual complaints to consider taking further action,” and the case was closed. The Information Commissioner is not even looking, for whatever reason—that may be something that we shall look at—at individual complaints.

The language that you use is really inappropriate. A number of people and organisations have made complaints about their concerns and it is not going to help building for the future if you make those sorts of statements.

Sir Nick Partridge: I hope that I was clear in my report that I was reporting the facts as I saw them. It was not to deny or in any way understate the very real concerns, when talking around the summary care record and some people with HIV, about where data go. My apologies if you felt that it read that way. I hope that the other parts of my report—

Q408 Barbara Keeley: I can understand that you were trying to be reassuring but, for the sake of your colleagues and for the sake of taking this work forward, you have to acknowledge that there have been some serious issues.

The point about cases such as that of Helen Wilkinson is that it is a really bad thing to have a miscoded record in your patient records, but it starts to become a problem when it is shared. If it was only in your GP record, then it is not a concern; most people trust their GPs and the practice that they attend. Through your organisation, you are sharing data with insurance companies and the sorts of private companies that you list in your report. That is where the concern comes in.

It does not help, in my view, to gloss over the incidents that there have been, and the fears that people have had and the concerns that they are trying to put to the Information Commissioner—for instance, about releasing records to insurance companies—by saying that it is a fact that no one has ever complained. You fly in the face of the fact that somebody has given up being an NHS patient because of what happened to her records. That was a serious case. If you do not know about that case, I recommend that you all look at it, because it is quite important.

I take you up on another point that you made. You have just repeated the point that you made earlier, that people can track where their data go—that if they are interested in where their data go, they can look at the listing. It is good that we are finally starting to get these lists of where the data go, but I want to talk briefly about reuse agreements.

In paragraph 29, you say that there was “confusion regarding the differences between a Data Sharing Agreement and a Data Re-use Agreement, and in what circumstances they were appropriate.” In debates in the House, I have talked about commercial users of our hospital data, and I have cited to Ministers companies like Harvey Walsh, and companies with tools such as OmegaSolver, a comparison website—a private company that was developed and was given access recently. Harvey Walsh said that it had more than 1 billion linked patient records.

Those companies say that they have the ability to track patients over time. They have said that they have tools that can track patients through their hospital care. Clearly, that is a frightening prospect—it is not a frightening prospect if you are talking about research done for medical reasons by the charities and hospitals that you have talked about. Those are the things that frighten people, and I did not get any satisfactory answers when I put the matter to Ministers. I advise you that we should start getting some answers about this.

We have a question later about insurance companies, but we are not getting to the bottom of where all the data are going. We really are not. There are questions such as which companies and which data releases were done under commercial reuse licences, because you still have licences and agreements with organisations that can sell the data or move the data on. They have applications to do that.

Right at the outset, we need not to have this honeyed view of a few little glitches here and there. There are some serious things that people worry about, and I want to know that those issues are being recognised.

Sir Nick Partridge: I accept that, and I have absolutely no complacency at all about the seriousness of any individual data release. I go back in my thoughts to the start of my report where I say about patients and public data that “it is their data that we guard and it is their trust that we must earn.” That is the basis from which I went, and I accept your comment.

Q409 Barbara Keeley: I shall end with this point. Will you give the Committee a list of which companies and which releases were under commercial reuse licences? It seems that the NHSIC did not understand the difference between its own agreements and its different terms and licences. Will you assure us, going forward, that, as the recent legislation says, data will be released only for the NHS and care? I shall come later to questions about the insurance companies, but we absolutely need to know that. To be comfortable, we need to know where data have been released to. Where is the list—I have asked questions about this—of companies that can release data to other companies or individuals?

Kingsley Manning: I am perfectly happy to provide you with that list. To clarify the situation, we are currently reviewing all outstanding data agreements with all recipients. There are 777 of them and all are required—

Q410 Barbara Keeley: Would you say that again? You said it rather quietly.

Kingsley Manning: There are currently 777 extant data agreements. All of them are going to be subject to the application process, and are currently going through application processes as we speak. It will take us about eight months. They will be required to enter into a new type of agreement. We are going to have data sharing contracts.

Chair: May I ask you to speak up?

Kingsley Manning: We are having difficulty hearing you as well. I shall lean forward and attempt to shout. I am sorry, but there is a sort of buzz from behind which is very distracting.

We have absolutely taken on board your concerns. We are renewing and reviewing all of the outstanding agreements. There are 777 of them. We are doing that over the next eight months. They will all be required to reapply.

The reapplications will require a much more extensive declaration of information. All of the applications will be reviewed by the Data Advisory Group, and of course we will be applying the Care Act even before the regulations come into place. We will be applying the Act as set out, in terms of not wholly commercial purposes and for the benefit of the health and social care system. We will be applying that process and we will make it very transparent. All of those agreements will be available for public scrutiny. Following that, data sharing contracts will have an upgraded requirement with regard to audit, declarations and so forth.

At the same time, for each individual data release, they will be required to enter into a data sharing agreement, so we have a contract with an organisation and free data release. Each of the data releases will be reviewed by DAG; they will all be on the public record; and in every case they will require a clear statement with regard to any reuse and purpose. We shall also require the deletion of any data that are passed on under a reuse agreement, and also the right to audit.

Q411 Barbara Keeley: Will that apply retrospectively? You are talking about how it will be, and that will be good, but what about the past?

Kingsley Manning: Currently, there are 596 agreements that were made by the NHS IC that have now ceased. That, I think, is the precise number. We are in the process at the moment of contacting all those organisations where agreements have ceased to require deletion and certification of deletion. We think that that process will take about six months.

In parallel with that, we will start an audit process at the end of this month, so that the threat—it is not a threat, but we will follow up the requirement of certification of deletion by audit.

Chair: Thank you. We are going to have to take a break. We will be back shortly. I apologise for that.

Committee suspended for a Division in the House.

On resuming—

Chair: We are quorate, so we are going to start. I bring in David Tredinnick to ask the next question.

Q412 David Tredinnick: The overall impression that I get at the moment is that you feel that everything is fine, and we feel that there are things that we have not really heard about. Have you identified how the failure to properly authorise the nine research programmes came about? Have you identified how that failure came about?

Sir Nick, in fairness to you, my recollection is that you went through a list and explained that there was a muddle over names and various other things. Are you quite satisfied that you have identified all aspects of this failure?

Sir Nick Partridge: Yes, I am. The work that PricewaterhouseCoopers did was extensive. It used its standard methodology: looking in depth at 10% of the 3,059 data releases that the Information Centre made. There were issues that were raised that required a broader look—in particular, the nine research programmes are an example of that. Spotting one, it said, “Okay, this is serious enough that we should look at all within the medical information research services.” That is what it did, and that is why we know that there is that issue, which, as I said, was a result of changes in legislation that were not picked up at the time but should have been. It is now up to the ONS to make the appropriate gateway approval. Those approvals are under way, and I am led to believe that they will be retrospective, so the research will not be damaged.

Q413 David Tredinnick: With regard to the ONS legal gateway, you seem to be saying that it is an arm’s length situation and that it is their problem rather than ours.

Kingsley Manning: These studies are looking, as I said, at mortality data; these are ONS data, and we distribute the data to these studies on behalf of the ONS.

In 2010, there was a change that required a resubmission of all the people with these gateway notices. These nine organisations were left off the list; it was an administrative error. We spotted it as part of this review. So we know exactly why it arose.

Q414 David Tredinnick: It is a simple statement, but it has an enormity about it. How are you going to make sure that in future there are no simple “administrative errors,” as you describe them?

Kingsley Manning: First, may I comment on your opening statement about the fact that we are complacent? That is absolutely not the case.

Q415 David Tredinnick: I did not intend to insult you. I said that the impression was that you felt that everything was all right.

Kingsley Manning: I assure you that I and my board and our main management team do not think that that is the case at all.

Q416 David Tredinnick: That was the impression. As an opening statement, I said that the impression on this side of the fence was that we definitely felt that this was the case, as did my colleague Barbara Keeley.

Kingsley Manning: We were very clear as a new board, when we took responsibility for the IC, that everything was not right, and we put in hand a series of management changes and a series of process changes, which started in June last year with the reappointment of management.

One of the obvious failures that the review found was that the responsibility for managing releases with the Information Centre was diffuse, disaggregated and not consistent or robust. We have reorganised it such that there is a single management structure with a single senior manager responsible to the board. We have ensured that all data releases are reviewed by our advisory group, so that all are processed in the same way. We are ensuring that they will all have their agreements going through a process of reapplication, so that they all have the same data service agreements, and so forth.

We are installing our CRM system to ensure that we track all of these things, and we are publishing all the information. We have put in place a much more robust, much clearer process across the whole organisation. We are deeply concerned about it.

Sir Nick Partridge: The thing that surprised me more than anything was that there was not one clear, simple, effective and transparent process for the management of all data releases. There were, after all, 3,059; it was not beyond the wit of man to list all of those one by one, but that is not what had happened. It is what will happen in the future. There is one way in, and it will be tracked throughout that, from the request through to the deletion of those data.

Q417 Chair: This is staggering. You describe it as diffuse, disaggregate and not robust. That is sloppiness, and from an organisation that is controlling IT. Did that shock you deeply?

Sir Nick Partridge: As I said in my report, there were areas that concerned me. I thought that it was quite a hard-hitting and open report that laid bare the issues that we had seen—within the narrow scope, of course, of the data sharing agreements—in order that the new board and management team could draw a line in the sand and begin to rebuild patients’ trust and confidence in the use of their data. Clearly, I was not tough enough.

Chair: I see that both Rosie Cooper and Charlotte Leslie want to come in on that point, with a quick follow-up.

Q418 Rosie Cooper: Forgive me for joining you late.

Using the description that you have given, do you not think that fining people for breaches is not good enough to hold the industry or, indeed, your good selves to account, and that the only way that the public are ever going to have real confidence that you are engaged and absolutely committed to their confidentiality, and using this system properly, is if the use of the system in the way that you outline becomes a criminal offence and that people could go to jail for it? I would like to see some of you held to that level of account, because what has gone on is a disgrace. It is our information, but you just sit there. It is all very jovial, and you laugh while we sit and read in the newspapers just what happened to our information.

Sir Nick, you said that the ICO said that nobody had reported any breaches.

Chair: We have already covered that point, Rosie.

Rosie Cooper: Okay, but it was said that nobody had reported any breaches. Let me tell you that I did. What they told me to do was to go back to basics and start complaining from the bottom upwards, so it is not true. You cannot just run and hide. This has to be a criminal offence. You will not have people’s confidence in you until you are at risk because of what you do—not money, because the taxpayer will end up paying for it: you have to be on the line.

Chair: Would you like to respond to that point?

Kingsley Manning: As I replied to the same question last time, the question of criminal offence is not within our gift. It is a subject for yourselves, in terms of Parliament.

Q419 Rosie Cooper: Perhaps we should go there.

Kingsley Manning: I have to say that we, and I think you will find the ICO and others, would be sympathetic—not necessarily to a criminal offence but perhaps that the issues with respect to sanctions are inadequate, and that we might well be interested in where we might support that view. It is not something that we have any control over.

Q420 Charlotte Leslie: I am sorry for rejoining this session late.

I want to take us back quickly—could we make it quick, because we are limited in time?—to the nine cases, the nine research programmes, that had not been properly organised. You have begun to list them; we have done Imperial Healthcare Trust and we are now on No. 5. Would you quickly run through what the organisations are that were involved?

Sir Nick Partridge: The others were the University of Oxford, the University of Birmingham twice, the University of Cambridge and the Institute of Cancer Research.

Q421 Charlotte Leslie: I have one query. The reason it is interesting is not only the specific case but because I think that it might tell us about other cases.

The What About Youth survey was undertaken in November 2013 to February 2014. I asked some parliamentary questions about this. It emerges that the What About Youth survey did not have support under section 251 of the National Health Service Act 2006; nor, as far as I can see, was it on the list of data release. Here we have data collection from young people that was done without legal support, which was not on your data release.

I only got it because I happen to know about this myself, and I asked a parliamentary question. I was assured that the data were now deleted, but I have to find out when they were deleted. How can we be sure that the list of data releases and any information in the public domain is in any way complete, as this does not seem to be on it? If it is on the list and I have overlooked it, you have my full apologies and I should be grateful if you would point it out to me. However, we do not know what we do not know, and this would have been one of the things that we did not know—unless I had heard about it from another source.

Sir Nick Partridge: Clearly, my report and the PricewaterhouseCoopers review were into data releases by the IC. What you are referring to is a data release by HSCIC, as it is post-April 2013.

Kingsley Manning: I saw details of your parliamentary question this morning. I can confirm that the reply will say that the information has been deleted. My understanding—we will confirm this when the answer is written—is that the study never took place. The initial work was done on it, setting up and looking at methodologies, but it did not receive 251 clearance. Therefore, the initial methodological data were deleted and the study did not proceed. However, we will confirm that through the normal channels.

Q422 Charlotte Leslie: Tim, a lot of this is about public reassurance, because most people agree that there is a valuable place for data collection and research. What assurance can you give us that the incident that I have cited is a complete one-off? It does not seem to be that there are not other incidences where studies do go ahead, and the data list is incomplete.

Kingsley Manning: I am sorry, but I want to make clear that, as far as I am aware, there was never a data agreement in place, and data releases did not occur under 251. It would have been illegal for us to do so. We will confirm that, but it is not a missing study.

Q423 Charlotte Leslie: Okay, thank you. Tim, are you going to comment on the question of public confidence?

Tim Kelsey: Only to say that NHS England is in a position where, from time to time, it will issue directions to the Information Centre, on the basis that the data that are subsequently collected on its behalf are subject to the rules that Kingsley has just described. I am unaware of any situation since early 2013 that I can speak to for NHS England, in which any data will have been collected without being subject to the rules that have been described.

Chair: I am conscious that we are a bit pressed for time. Andrew, you were coming in with the next group of questions.

Q424 Andrew George: In terms of the data sharing agreements, there were four with three reinsurance companies. There was a clear indication that you should make it clear to them that they had to delete the data that they were otherwise able to use until 2015. In that case, particularly in relation to the provisions under the Care Act, what communications have you had with them, and are you confident that they have acted on what I assume must have been by now your instructions?

Sir Nick Partridge: Yes, I can. I can give you an update as to where we are. You are right that there are three organisations and four agreements.

The first is SCOR, which is a reinsurer. We asked whether it is planning to continue using its data, and SCOR is planning to do so. Is it going to delete data? No, it is not. Is it going to terminate its data sharing agreement? No, it is not. Does it use the HES data, the data that have been released, for individual insurance purposes? No, it does not.

For RGA reinsurers, it is not planning to continue using the HES data. It is going to delete those data. It is going to terminate its data sharing agreement. It, too, has confirmed that it did not use the data for individual insurances purposes.

Milliman is slightly different. It is a consultancy that uses HES data for NHS customers, and it is going to continue using the data for that. As a result, it is not going to be deleting those data until the end of its agreement. It is not going to terminate its data sharing agreement; it has a wish to expand its scope to include a cancer research project in future.

As I say, they are very different. They are not significantly around insurance, and because of that they of course did not use data for individual insurance purposes. Over and above this, we are in discussions with the Association of British Insurers, to find ways of meeting the requirements of the insurance industry through the provision of anonymised data only. There is a belief that much of this can be done using only anonymised data. Of course, it is important to remember that, when anyone looks for health insurance, they would give consent for their individual record to be used in that way. At the moment, that is the position.

Q425 Andrew George: You simply ask the question. There is no indication that there has been any instruction to delete.

Kingsley Manning: These are legitimate concerns.

Q426 Andrew George: Not even under the Care Act.

Kingsley Manning: No, not under the Care Act.

Q427 Andrew George: All that you are doing is collating information on their plans to use, delete or in future to manage the use of that.

Kingsley Manning: They will have to go through a process of reapplication. That reapplication will be subject to the advice of CAG, in accordance with the Care Act, and the Care Act is clear that it should have a health and social care advantage or benefit, and not be wholly commercial. We will be applying that test to any process of reapplication.

Q428 Andrew George: How will you know? They have until 2016, another two years, and they can do what they like. You are not watching them all the time. How can you possibly know?

Kingsley Manning: The data releases that they have were legally entered into, and they are proper and appropriate—

Rosie Cooper: Says who?

Chair: Rosie, let him finish.

Kingsley Manning: We suggested to them that we wish to gather further information about the use, and we have identified that the use does not include—indeed, it would be illegal—using the data to set individual subscriptions for insurance purposes. My understanding at this stage is that their current use would still be in line with the Care Act.

Q429 Andrew George: Of course, there are other ways in which they can use the data to inform how they might treat groups of patients for the purposes of their reinsurance rather than individuals.

Kingsley Manning: We are very enthusiastic and keen, and very supportive of the notion that these matters need to be considered by the Confidential Advisory Group, and we have identified four typical examples of where we need CAG’s advice. We are absolutely clear that the individual use of these data for individual insurance is totally outwith the legislation. However, its use when looking at the effects of chronic illness, life expectancy and so forth across an insurer is, we believe, within the current legislation—and, indeed, within the Care Act—but we will be asking and expecting CAG to provide us with advice on this, and we will be in discussions. Indeed, we have already started discussions with the Health Research Authority and CAG about doing precisely this ahead of the regulations.

Q430 Andrew George: The problem with the system is that it is a bit like genies out of bottles. Once they are out, there is virtually nothing that you can do.

Kingsley Manning: Under the arrangements, they have to state the purpose for which they are using the data. That has to be clearly stated. If they then use the data for any other purpose, they will clearly be in breach of the data sharing contract. My understanding is that, if, in discussion, that became apparent—and we are going through the process of auditing these people—there would be the potential for withdrawing the data. Indeed, one strike and out is the presumption.

Q431 Andrew George: It sounds a bit like a paper tiger. A lot of the evidence of your review and report, Sir Nick, seems to indicate that, with the best of intentions, you have not lived up to the narrative that you have just described. In other words, you have not successfully regulated or imposed, or monitored the management of data, and there have been lapses. There are clearly issues that still need to be resolved. We have a system that clearly is not being adequately monitored and regulated, so I do not see how you can speak with such confidence on the matter.

Kingsley Manning: I am not complacent, nor am I defending the process that we inherited. We are clearly in the process of putting in vastly more transparent and publicly scrutinised processes to improve the position.

Q432 Andrew George: We shall come back to the issue of to what extent some of the old guard are part of the new guard, and whether people can wash their hands of the past.

Kingsley Manning: We are making no attempt to wash our hands of the past. Indeed, we have taken full responsibility for sorting out the mess.

Q433 Andrew George: The Committee will deal with that as well.

On this area of data sharing, this is asking all three of you, with the benefit of hindsight and on reflection, whether it would not be better to have a system of data management that involved any external organisations wishing to undertake any kind of research, or had legitimate questions for which the data provide a useful source of information. Would it not be better if you hold on to the data, that you receive those questions, undertake the analysis and then provide them with the answers, rather than releasing this genie from the bottle, which we do not seem to be able to manage?

Kingsley Manning: We would be in agreement with that. We already have a data lab service available for some NHS customers. That is in development. In the case of care.data, we are specifically only going to put the data available in what we call a data lab environment. We are in discussions with the MRC and the CMO, Professor Sally Davies, about creating a data lab environment for the purposes of research.

Q434 Andrew George: You agree with me on that.

Kingsley Manning: Yes, we believe that to be by far the best way of approaching it. I would not wish to underestimate the technical challenge of doing that or the investment case, but we entirely agree that that would be appropriate.

In the meantime, we have a large and significant research industry and a health and social care system that still need access to the data, so we have to manage that in that transition period.

Andrew George: On the resource issue, it does not take an Einstein to work out that you have something extremely valuable for which people would be prepared to pay in order to get it. If you do not have the resource and people pay the money, you can undertake that research for them for a cost.

Chair: Andrew, we are coming to that later. I wonder whether we can stick with the original part of report.

Andrew George: I beg your pardon. I shall finish there.

Q435 Rosie Cooper: May I ask why, if using a data lab is a way out, none of the geniuses sitting before us thought of it before, unless they had a callous disregard for people’s privacy?

Kingsley Manning: Technically, it was very challenging to have done it historically.

Q436 Rosie Cooper: Ah, it is too hard.

Kingsley Manning: I am sorry, Ms Cooper, but the practical reality is that, when HES was started, the data were distributed on 5-inch floppy disks. We have moved on to a situation where the cost of storing and processing these data now means that the data lab solution becomes a feasible proposition.

Rosie Cooper: People’s personal records are invaluable to them.

Chair: Rosie, we covered a lot of this at the beginning, so I am going to move on to Barbara Keeley. I would like to hear Tim’s opinion on the issue of issue of data rooms, but we have a specific session on that later. Perhaps we can return to the subject of the PricewaterhouseCoopers review.

Q437 Barbara Keeley: Can I be clear about a point that you made earlier? It has been an important development in this Committee meeting. In the report that you gave us, you said that the HSCIC chief executive wrote to the three companies concerned asking them to delete the data ahead of the legislation coming into force. You are now saying to us that you do not have the authority to do that. You found that you have no authority to instruct insurance companies to delete the data. You presumably thought that you had when you wrote that report.

Kingsley Manning: I am not clear where you are quoting from.

Q438 Barbara Keeley: I am quoting from paragraph 27 of the report: “I ensured that the HSCIC’s Chief Executive wrote to the three companies concerned asking them to delete the data ahead of this legislation coming into force.” What you have just run through is that that is not what happened. What happened was that they said they are going to carry on using it.

Kingsley Manning: I confirm that we did indeed write to them asking them to delete the data. I made it clear that we had no power to require them to delete the data, but we did indeed invite them to do so.

Barbara Keeley: I have to tell you that that is an issue for this Committee. I was in debate with the Minister on amendments being made to the legislation, and the Minister was absolutely clear in what he said—that uses in future would be only for health and care. If you are saying that it is permissible to carry on with insurance and commercial uses, and there are other companies than insurance, then I have to say that what people are concerned about and what will cause them to not be frank with their doctors and to worry or to withdraw themselves from the NHS, as in the example that I gave, is this sort of thing.

People do not want their data to be sold on to marketing companies or insurance companies, or to GoCompare websites—which is something that you have done in recent months. They do not want that. They trust their GPs, and for the most part they trust their hospital doctors. Somehow, this does not seem to be getting through. You have almost glossed over the point that, as you have admitted to us, you cannot go back to them and instruct them to delete those data.

The question of the audit of deletions of data is important. There are two points. The first is one that I have already raised about data reuse agreements and who is the end user, and the other is your authority to do this. Perhaps the Chair might say that we can take that to Ministers.

Q439 Chair: Would you clarify something? You said the first company was the one that said it intends to carry on using the data and that it will not delete them. Would you remind the Committee of the name of that company? You are very softly spoken, and I did not catch its name.

Kingsley Manning: It is SCOR, which I understand is a reinsurance company.

Q440 Chair: You are saying that you have no powers to request them to delete data, and that even within the terms of the Care Act you believe that it would be illegal to do that.

Kingsley Manning: I am advised that we do not have the powers to ask them to delete data under the current data sharing agreement with have with them.

Q441 Chair: That extends to 2016.

Kingsley Manning: We are awaiting the announcement of the regulations with regard to CAG, and I believe that they will be laid before the House in September. We are working with CAG to look at cases such as this so that we have an early indication of how CAG will view them. I understand and am advised that the Act says that the use of the data has to be released for health and social care purposes and not for solely commercial purposes. That is the current position. We will be governed by, and have to take completely into account, the advice of the Confidentiality Adviser Group, and our future decision making will be subject to its advice.

Q442 Barbara Keeley: You told me earlier that there were 771 agreements.

Kingsley Manning: There are 777 current agreements.

Q443 Barbara Keeley: There are 777 current data reuse agreements, and you agreed to list the organisations that have those. We need to understand the nature of those organisations, because it may go beyond insurance companies to other companies, which do not have a health or social care remit, having the ability because they have an old data reuse agreement that can run on; so we need a list of all of those.

Kingsley Manning: They are all listed in Nick’s report and in the register that we released in April, and we are updating the register tomorrow. It is not only details on organisations, but details of the purposes of the ones that we have been involved in and indeed the data releases; they are all being put into the public domain.

Q444 Barbara Keeley: I shall move on, but you need to understand how important the issue of audit and deletion of data are to the public.

Sir Nick made nine recommendations in his review and Kingsley Manning has told us that they were all accepted—if that aspect of the report is accurate, whereas others do not seem to have been. Do you have a timetable for that implementation, as you did not give one in the report?

Sir Nick Partridge: Once the board has accepted the recommendation, there is an action plan with progress and target dates. Zipping down this plan—

Q445 Barbara Keeley: Would you let us have it?

Sir Nick Partridge: I shall let you have it.

Kingsley Manning: We have also said that we will publish an update on the implementation of those recommendations at each of our public board meetings, going forward.

Q446 Barbara Keeley: That has not been made public, and it was not sent to us.

Kingsley Manning: It is in our board minutes, which are now public.

Q447 Barbara Keeley: It would have been helpful if you had sent it to us.

I have a small follow-on question. There are various developments at HSCIC, things such as accrediting safe havens. Given what has been said again by this Committee today about the lack of confidence in your progress, I remind you that you have taken across from the NHSIC a substantial number of staff who worked in the old organisation, with all those bad ways, and all its muddled processes that are described in the report. Do you not think that you should implement those recommendations before you start moving on to new things like accrediting safe havens? There is a stage, I feel, and this is shared by other Committee members, that you have to do some confidence building before you start doing new things.

Kingsley Manning: I agree with that. We decided to start publishing data releases last December. We put that process in hand and we have made major changes to the relevant senior management. We have appointed Professor Martin Severs as the Caldicott guardian. He has an international reputation in this area and is totally independent.

Q448 Barbara Keeley: The staff to whom I refer are the more junior staff. We can all see that you have changed things at the senior level, but you have hundreds of people working at HSCIC who were part of those bad old ways, and they need to change what they do. If the sloppiness that is apparent in this report was allowed for many years in the old organisation, they will need a bit of time to adjust to the new regime.

Kingsley Manning: Sadly, it is not hundreds of people. Part of the problem is that there was a lack of resource devoted to this area. In fact, the core team is only 27 people. We put an additional 20 people into this resource area to deal with the issue of data releases, so we absolutely accept your point.

Q449 Barbara Keeley: The number of staff that moved across from the NHS Information Centre was more than 27, unless the answers that I have been given were wrong.

Kingsley Manning: I understand that, but we are one of the largest single employers of statisticians. They had nothing to do with the data release process.

This is a small part of what the IC did and does. We totally accept the requirement to change culture, and one of the things that PwC commented on was the willingness of the staff involved to become participants in the review, and indeed to contribute. One thing that we are absolutely keen on is that these individuals should come forward and identify problems, issues and so forth. We entirely accept that there has to be a change in culture.

Q450 Chair: Sir Nick, I know that you want to come in on this point.

Sir Nick Partridge: Yes, very briefly. One of the things that impressed me—as a non-executive director I come in and take a clear look at things—was the way in which those most impacted by this report were actively engaged in it and learned from it. Indeed, they were themselves frustrated at what they knew to be processes that were not good enough. What the recommendations do is to provide them with a better structure, and an end-to-end process that they will be able to work in to create that public trust, and to do the job that they want to do.

They are similarly absolutely clear about the importance of rebuilding trust. They want to see the individual’s healthcare data used in the best possible way, where security and confidentiality are protected, so that we can rebuild trust. That requires the transformation programme that is in place, and that there is a recognition of exactly where things went wrong and how they can be put right. I believe that that will happen, and we will report on that publicly at each of our board meetings.

Q451 Chair: I am keen to move on to Valerie, but on that point you said that the staff had concerns. Did they raise those concerns with anyone at the time?

Kingsley Manning: Neither Nick nor I was there. I would not comment.

Chair: You do not know. Okay; thank you.

Q452 Valerie Vaz: We are all extremely concerned that you had to come back to us. If it was not for the Select Committee asking you to return, this report would probably not have been done. We first heard about the breaches in The Daily Telegraph.

Kingsley Manning: I established a review immediately after the first Health Select Committee.

Q453 Valerie Vaz: Okay. Thank you for coming back.

Sir Nick, your report is quite devastating, is it not? I hope that this is in the public domain, so that any member of the public can see it.

Sir Nick Partridge: It certainly is. I have been interviewed on “World at One.” Yes, it is absolutely in the public domain.

Q454 Valerie Vaz: I have struggled with this, although it may be here, but I have read it a couple of times and I cannot see an apology in the report for what seem to be serious breaches.

Sir Nick Partridge: This is a report written about the NHS Information Centre. I was quite clear in paragraph 3 that these lapses occurred before the HSCIC came into being, so it might be said that they are not the HSCIC’s fault. However, that is beside the point. The lapses are very much our responsibility to address, but I feel uneasy about apologising for them on behalf of other people.

Q455 Valerie Vaz: You should apologise for the breaches, not on behalf of other people. You are in the organisation now, are you not?

Sir Nick Partridge: Yes.

Q456 Valerie Vaz: Right. Okay, you do not want to apologise.

Sir Nick Partridge: Where we know that things could have been done better in the past and where we know that we should have done better, I apologise. The commitment that comes along with that is to do it right in future. I believe that the recommendations and the action plans will put us in a place where we can do that.

Q457 Valerie Vaz: To clarify the matter—I could not hear a lot of what was going on earlier because there were a lot of questions forwards and backwards—you have made some interesting recommendations, and part of what we do is to try to move forward. When will those recommendations be implemented in their entirety?

Picking up on some of my colleagues’ points, you mentioned in recommendation No. 3 that you want a “robust audit function” on “how data are being used, stored and deleted,” which is something that you do not have now. You have said that one data sharing agreement will be developed.

Kingsley Manning: It has already been developed.

Q458 Valerie Vaz: Are people using it now?

Kingsley Manning: As I have already explained, we are going through a process of moving all current data agreements—all 777 of them—on to the new agreement. That will be completed, we suspect, by Christmas. That process is already in hand.

Q459 Valerie Vaz: So you will have the sanctions that you have asked for.

Kingsley Manning: We will have substantially strengthened the contractual relationship. I will be happy to supply you with copies of the new data service agreement and the data contract if you were interested; they are quite detailed and legal.

Sir Nick Partridge: I was keen to ensure that the review was done in a focused way, and that it was undertaken fast. Similarly, I was keen to ensure that the action points, with their completion target dates, were similarly enacted quickly. The last one is for 30 November 2014. All of the action points should have been completed by the end of November this year.

Q460 Valerie Vaz: Good. For the record, do you have the appropriate procedures in place now, so that anything that came out of this report would not happen again?

Sir Nick Partridge: For the record, I believe that when these recommendations are put in place we will have a rigorous process that the public and patients can rely upon; yes.

Q461 Valerie Vaz: May I take you to paragraph 24? You said that you took over in June last year. Is that right?

Sir Nick Partridge: How do you mean?

Q462 Valerie Vaz: On the new board, one of you said that you were all in place by June last year.

Sir Nick Partridge: Kingsley became chair in June last year.

Q463 Valerie Vaz: Why is it that something has not gone through a gateway in 2014?

Sir Nick Partridge: That was because of the legislative change that took place in 2006. It was not identified until we did this PwC piece of work. It is not something new in 2014.

Q464 Valerie Vaz: I don’t understand. I know that it is not something new—it is something that PwC has identified as happening on your watch—but you said that everything was okay since you came into post. I wonder why this is still going on.

Kingsley Manning: I do not think that I said that. What I said when I was appointed, and Nick was there a couple of months before—

Q465 Valerie Vaz: With the greatest respect, I am not attacking you. I am not asking you to account for everything. I am reading the words of the report, and merely asking you the question so that everyone can understand. That is all.

Kingsley Manning: This is to do with the issue with regard to the ONS clearances.

Valerie Vaz: Yes.

Kingsley Manning: The original administrative problem occurred in 2010. That is when the list went off to the ONS; it did not, as I understand it, include these nine organisations. It should have done, but it was not noticed until this year.

Q466 Valerie Vaz: I suppose that is what concerns everyone. Someone has to notice it.

Kingsley Manning: I agree.

Q467 Valerie Vaz: You are in charge of this and you did not notice it. You do not have procedures in place to notice it.

Kingsley Manning: That is the whole core of the process. We absolutely identified that the procedures were not in place, and we took action immediately and started the process of changing the management and the structure and process, which we have described in detail, to ensure that this cannot happen again.

Q468 Valerie Vaz: I understand that, but you had to commission a report to find it. You did not find it through your own procedures.

Kingsley Manning: We had already started a process.

Q469 Valerie Vaz: No, you did not. You did not come to us and say, “Oh, by the way, there is a breach. Something did not go through the gateway.” PwC had to produce a report before it was found out. You said it: it is your own paragraph.

Kingsley Manning: Yes, that is absolutely true, but—

Q470 Valerie Vaz: I am saying that it is still happening. We have identified a situation where it is still happening.

Kingsley Manning: We are taking over a situation where we are dealing with hundreds of data releases. We are improving the process as we go along. We are grateful for the focus that the Committee gave us on this, and we will clearly constantly be trawling through all our systems and our organisations to identify where there may be past problems. Indeed, one of the things that we are really concerned about is to encourage the staff and people in the organisation to come forward with issues such as this.

I may also say, by the way, that the nine organisations themselves had not noticed that they were no longer authorised.

Rosie Cooper: That’s okay, then.

Q471 Valerie Vaz: With the greatest respect, we entrust you with this.

Kingsley Manning: There is no excuse at all. Indeed, the authorisation was ultimately to do with them.

Q472 Valerie Vaz: I turn to paragraph 20. Will you explain this outsourcing to Northgate? I have no idea what the company is, what it does or who it is. Would you explain the procedure when you outsource?

Kingsley Manning: I am perfectly happy to tell you what I know, but clearly that was a long time ago. However, between us, we may be able to answer.

HES was originally run internally by the Department of Health, and it was at that point that it was outsourced to Northgate. Northgate is a data-processing organisation, which I understand is undertaking a wide range of data-processing activity on behalf of the Government. Indeed, until recently, it was still undertaking some data processing for us. It is an organisation like a range of other data-processing organisations that were contracted in. It was the IC that took the decision that that arrangement was unacceptable, so the system was physically brought in-house.

Q473 Valerie Vaz: Is the processing that it does within the jurisdiction or outside?

Kingsley Manning: Northgate no longer processes the data.

Q474 Valerie Vaz: That is definite.

Kingsley Manning: It is no longer doing the data releases. The data release process stopped in—

Sir Nick Partridge: In 2010, or even earlier.

Kingsley Manning: Or even earlier than that. It was in 2009.

Q475 Valerie Vaz: May I ask one more quick question? Are you satisfied that you are not in conflict with the Data Protection Act?

Kingsley Manning: We are extraordinarily concerned about the DPA. I had a three-hour meeting with the Information Commissioner on 11 June. We are constantly concerned about this, and we regularly refer ourselves and others to the ICO. We are in total consultation with them.

At this point, we have a number of ongoing investigations—not investigations, but a number of issues that we are looking at with the ICO. As far as I am aware, we are not at any point in breach of the DPA. I assure you that it is a matter of considerable and great concern for us.

Q476 Charlotte Leslie: Why were the expired licensees not required to delete data before?

Kingsley Manning: They have always been required to delete it.

Sir Nick Partridge: But there has not been a sufficient audit function, or one that I could identify. One seeks to make sure that it is now audited and happens. That is part of the end-to-end process that we are putting in place.

Q477 Charlotte Leslie: Are you now completely satisfied that that process is in place?

Sir Nick Partridge: When it is in place, that is what will happen.

Kingsley Manning: We have started the process, and in future we will actually require a physical certificate that you have deleted the data.

Q478 Barbara Keeley: What you have just said is not clear. You seemed to say earlier that you could not instruct deletions under the agreements that were in existence.

Kingsley Manning: When the data agreement expires, there is a requirement that the recipient organisation deletes the data—at the end of the data agreement.

Q479 Barbara Keeley: Do you audit that?

Kingsley Manning: We are absolutely able to audit now.

Q480 Barbara Keeley: It is not, “Are you able to do so?” but, “Do you audit it?”

Kingsley Manning: We are starting the audit process—

Q481 Barbara Keeley: You have not been auditing it.

Kingsley Manning: Absolutely not. That is one of the failures of the past regime.

Q482 Charlotte Leslie: Secondly, and very quickly, we understand that you are not able to require certain organisations to delete their data. Will you give us a rough estimate of how many patients’ records are now held by those organisations over which you have no control, in terms of requiring them to delete data?

Sir Nick Partridge: To be clear, the control is that at the end of their legally binding agreement they will delete the data.

Q483 Charlotte Leslie: I understand that, but you have just told the Committee that, for example, you have written to SCOR and CAG, inviting them to delete their data.

Sir Nick Partridge: To stop using the data.

Q484 Charlotte Leslie: They are completely entitled to give you the finger, and put your letter in the shredder. How many patients’ records do they and organisations like them currently hold, organisations that you are currently not able to require to delete the data legally, as you told the Committee earlier?

Kingsley Manning: I cannot give you that information.

Q485 Charlotte Leslie: Could you possibly write to the Committee giving as accurately as possible the number of patients whose data are held by those organisations that you specified you can invite to delete data but which you are not currently able to require to delete data at this point in time?

Kingsley Manning: To reiterate, this is pseudonymised data that is non-sensitive and cannot be identified. It would be illegal to re-identify it. Secondly, we clearly could require them to delete the data if we found them in breach of the agreement, but we have no evidence that they are in breach of the data agreement.

Q486 Charlotte Leslie: That is not what I was asking. I was simply asking whether you could give us a number of how many patients’ data are held under the situation that you have clearly outlined.

Kingsley Manning: Absolutely.

Q487 Barbara Keeley: Could I ask, as a member of the Committee, that you repeat this point? One of your previous board members, Dr Mark Davies, said publicly in an interview that has been reported that there was a possibility of re-identifying patients. We have all seen enough examples where combining data means that patients can be identified.

I gave examples earlier of companies that claim they can link patient care episodes across all the data that they have, and we know that that spans a lot of years. It is not helpful, as the report wording is not helpful, for you to keep reporting that it is completely not identifiable. That is not true. Dr Mark Davies said when he was in post that there is a possibility data can be re-identified, with lots of examples that have been cited in debates here. Let us not keep hearing that, because it is not helpful.

Kingsley Manning: May I answer that as a question?

Chair: Yes.

Kingsley Manning: We absolutely recognise that there is a theoretical risk in some cases where there are sufficient sensitive data items and pseudonymised data, for re-identification. That is why it is very strictly controlled. That is why our default position is not to give people de-anonymised data unless there is a clear, proper and appropriate purpose. Secondly, to re-identify anybody—

Q488 Barbara Keeley: That would include insurance, or whatever an end user wanted.

Kingsley Manning: No, it would be subject to the advice from the Confidentiality Advisory Group. I am bound by the advice of CAG. If it advises that it is inappropriate use, then we will not produce the data.

Q489 Barbara Keeley: That is in the future, but here we are talking about the past. That is a concern to people out there.

Kingsley Manning: In the past, I am advised and clear that it was a legitimate, proper and appropriate use of the pseudonymised data of this type. It is not being used for individual insurance purposes. In the case of Milliman, for example, it is being used primarily to support NHS organisations to manage their resources better.

Barbara Keeley: You can say that, but I go back to the point I made earlier that the public do not like this.

Q490 Chair: Are you saying that to use it for those purposes would be illegal anyway?

Tim Kelsey: On behalf of the Government, of which I am not a part, I clarify that the legislative intention of the Care Act is to do two really important things. One is to require the information centre to ensure that there is independent scrutiny of all uses of personal data, whether identifiable or pseudonymised, and extension of the existing role of the Confidentiality Advisory Group. Secondly, the data can only be used for health and care benefits specifically.

The regulations that will determine what those words mean will be laid before Parliament in the early autumn, but these are really important new safeguards. I agree that they are not effective at the moment, but they will be effective as soon as the Act is made effective by the regulations. That is the result of the whole care.data conversation, and I am sure that we will come to it later, but I make it clear that it would be illegal, and subject to independent scrutiny, for any insurance use or junk mail use. These data can only be used now for health and care benefits. To ensure that that is the case, there will be independent scrutiny.

Q491 Chair: That is from when the Act comes into force.

Tim Kelsey: The Act is now in force. We are in a period that is common with the law, between primary and secondary legislation. I do not believe that the Information Centre would, for one minute, now authorise any uses that were not consistent with those requirements.

Kingsley Manning: This is a complex question, on which we want the advice of CAG. We are quite clear that we cannot and will not provide data for wholly commercial purposes. For something that has no apparent benefit for health and social care, there is no question of providing the data. We cannot authorise any data that allow for the identification of individuals—for example, the setting up of premiums for insurances cases. However, if, for example, we have a private nursing home or group that wishes to access the data so that it can review its bench-marking services, then we will ask the advice of CAG as to whether or not that is appropriate, and we will be bound by that advice. It is a complex area.

Q492 Chair: Has SCOR set out what it wants to use these data for, and are you confident that it will not be using the data for commercial gain?

Kingsley Manning: It is a for-profit organisation, so in that sense it is operating for commercial gain. It is using the information for what we deem historically at least, and subject in future to CAG, for a legitimate purpose, which is to review the impact of changes in incidence of cancer and so forth in order to look at the impact on reinsurance rates.

Q493 Rosie Cooper: Are you saying that the legislation is badly written?

Kingsley Manning: I could not possibly say. We believe that, as the legislation was passed, we will absolutely live within it.

Q494 Rosie Cooper: Do you think that it was a superb piece of legislation?

Kingsley Manning: I am not an expert on legislative processes.

Rosie Cooper: Okay, so one incompetent organisation is not able to judge another one.

Q495 Valerie Vaz: I have a quick question. Where are you looking for a definition of health and social care? Is it a wide definition that you are looking for?

Kingsley Manning: You will remember that we are responsible for providing information and support for the whole of the health and social care system. Indeed, I am very anxious that, for example, in nursing homes and a whole series of other care settings we are devoid of information. We do not have sufficient information. We believe that the provision of this information to some of those organisations would be vastly beneficial, but it will be subject to the Confidentiality Advisory Group.

Q496 Valerie Vaz: I am asking about the definition. Will it be used solely for the purposes of health and social care?

Kingsley Manning: Yes.

Q497 Valerie Vaz: Who is making that definition? It is like a public interest test, is it not?

Kingsley Manning: Absolutely, and my understanding is that regulations will be laid before the House in September that will define it. There will be an opportunity, I hope and assume, to debate it. I am clear that CAG, which is a body of ethicists, clinicians, carers and social providers, will determine that on our behalf.

Q498 Valerie Vaz: Regulations will be laid in September.

Kingsley Manning: Yes, we are already working on the basis that the Care Act is in place. We are already in discussion with CAG as to how we can test this, and we seek its guidance. Even though the regulations are not there, we will not make any further data releases that we are not comfortable would meet these requirements.

Q499 Barbara Keeley: On approved use by a company that was a comparator website for the top private pay procedures, I have quoted that before. It was allowed in the last 12 months and given approval entirely to compare prices. It is a bit like GoCompare for insurance prices, but this compares private pay procedure prices. That was one of your releases in the last 12 months. That is not a health benefit. It is a financial thing.

Kingsley Manning: I would be anxious that we got appropriate ethical advice on that.

Q500 Barbara Keeley: That was approved during the last year.

Kingsley Manning: Yes, because under current arrangements it is perfectly legitimate that they have the information. The whole point of the legislation is to strengthen the guidance. As Tim has made clear, it is to strengthen the position, and we are very supportive of that. We believe that it is a substantial step forward. It is inappropriate for us to be making what are essentially ethical, “in principle” decisions. It is appropriate that an external body should do that.

Q501 Chair: Before we move on to the next group of questions, may I ask about one technical issue that has been raised with me? That is around the sample testing methodology.

I turn to appendix 6 of the report, the haphazard selection and a sampling method that takes in about 10%. Do you feel that that was appropriate? Do you think that there is a danger that you could have missed out some important cases? Do you feel that it would have been better to have taken a more risk-based approach, where you are targeting higher-risk cases?

Sir Nick Partridge: I believe that it was the appropriate methodology. It is one that is appropriate for looking at managerial and process issues. It is standard practice within audit companies like PwC.

It would have been inappropriate to have used a more clinical research kind of process to drive this. The proof of that particular pudding goes back to the research and the ONS issue. One was identified, and that sparked a straightforward, “Let’s look at all the others in that same grouping, and identify what is there.” That 10% or one in 10 sampling is robust enough to have identified the key issues, which the report has done, and to have thrown a spotlight on anything that required further investigation. It was appropriate for the kind of audit that it was.

Q502 Chair: You are satisfied that the high-risk grouping could not have been missed with this approach.

Sir Nick Partridge: Yes.

Chair: We are about to have a vote—it is imminent—but I am also keen that we move on from the PricewaterhouseCoopers report. Thank you, Sir Nick, for your comments on that.

Q503 David Tredinnick: I have some questions about the current position on healthcare data. What I want, and what I think most members of the Committee want, is to make sure that we safely put out there the most data that we can for improving healthcare in this country—the most that we can get hold of and safely put out there to the public. That is what we want.

We want to get this information out there, and, because of the dissemination of data, it is so easy. We heard in an earlier session that there are some data out there, right up in the cloud or even up on the dark web, which has been put up there for commercial gain, but nobody knows where the data have come from or where they are going. It only takes one slip and it is gone for ever, and is out there. That is why we have this forensic questioning. We are deeply worried about this, and I want to know what has been happening since the delay in the implementation of care.data was announced in February.

Tim Kelsey: I shall try to answer that. Essentially, everything that I have heard from the Committee is right in relation to the importance of ensuring that we do everything necessary to build trust in data sharing, and particularly the linkage of data and general practice in hospitals.

Since we postponed the programme in February, in response to legitimate concerns about the apparent absence of safeguards, borne out in Nick’s report, for the uses of data, the Care Act has done a lot to provide a new basis for that. However, there are other things that we need to do as well, which I shall come to in a second. Also, there is a lot of concern among GPs, patients and the public about the information that was provided to people to maximise their knowledge of the new right that they have to object to data being shared. We have not talked about that, but it is a really important additional safeguard.

Chair: I am sorry to interrupt you, Mr Kelsey, but there is another Division. It might be better, when we come back, having said what the problem is to focus on where we are now. That would be great. I am sorry that we have another interruption.

Committee suspended for a Division in the House.

On resuming—

Q504 Chair: I apologise again for the interruption. As David is back, it is best that we crack on. I remind the Committee that the nub of the question is what has been happening since the delay in implementation of care.data was announced in February.

Perhaps you could update us, Mr Kelsey. That would be really helpful.

Tim Kelsey: If the Committee remembers, there were a number of reasons why the decision to delay was made. The first was widespread concern in the media and elsewhere about safeguards on the uses of data. It became self-evident that, without some serious focus on that issue, public trust was at risk. We talked a little bit about the Care Act provisions, and I think that that is part of the way in which we can start to build trust in data sharing in general, and specifically this particular programme.

Alongside that, a number of concerns were raised by GPs and members of the public and their advocate groups around the degree to which the public information provided, and the different ways in which people were being informed of a relatively new right to be able to object to their data being shared, was being communicated. For those reasons, we took the decision to postpone the launch of the programme. Since then, we have been listening.

I am not afraid to say that we are learning a lot about how a modern public service needs to operate in relation to this incredibly important conversation with people about the way in which it suggests that their data are used. We have had about 120 events around the country since February, and we have engaged with nearly 3,000 different people right across the community, from civil liberties activists through to patient groups and individual citizens. What we are hearing is a consistent series of concerns that we need to address, and in a second I shall come to what we are doing to address those.

We have also listened by virtue of bringing together something called the care.data advisory group, which is chaired by Ciarán Devane, the chief executive of the Macmillan Cancer Relief fund and also a non-executive director of NHS England. A number of people behind me are on that group, but it brings together the BMA, the RCGP, Healthwatch and civil liberties groups, other patient groups and so on, into a constructive challenge to NHS England in rethinking how we are going to build trust in this programme. It is interesting that I personally have had numerous meetings with the BMA, RCGP and others, including Healthwatch, the research community at large, to start building a basis from which we can start to move.

The essential position that we are now in is that having listened, and continuing to listen, we are now proposing a phased rollout for the programme in the autumn. You will remember that we talked about a six-month delay. What is now being proposed is that indeed it will restart with a series of pathfinder practices, no more than 500, in the autumn period, and that phased rollout will investigate how best we can set a new standard for patient and public information in relation to this vital conversation.

As you were saying earlier, the objective that we all share is to ensure these data do flow to secure patient benefit as quickly as possible, but that needs to be done in the right way, and in a way where patients, public and GPs are all able to fulfil their functions and understand their rights properly. We will be running a series of pilots—what we call pathfinders—in the autumn to investigate how best that can be achieved.

That pathfinder phase will be subject to transparent and independent evaluation. We have asked a number of people to provide us with advice in reflecting on whether enough has been done at that point, or whether more needs to be done in relation to communicating the opt-out and other new positions. Fiona Caldicott’s independent information governance and oversight group, for example, has agreed to work with us on assuring a process around the monitoring of those pathfinders and the construction of the phase.

That is one really important lesson that we have learned. We want to work together with GPs, patient groups, local citizens and communities, Healthwatch and others, to come up with a schema that will deliver properly trust-based, properly informed steps, moving forward.

Alongside that, there are a number of other shifts and changes that we are proposing. One of them, as Kingsley mentioned earlier, is that when people access these data alongside the provisions of the Act they will be encouraged, and in some cases mandated, to do so inside the safe environment of the Information Centre. Where an organisation is of such a capability that it can be confident that it will manage data safely, subject to the various audit processes, it will be at risk under the new legislation of “one strike and you’re out.” There will be significant downsides for people who operate outside the safe environment of the Information Centre and handling the data, so the data laboratory, the sealed environment, is a really important part of the new proposals.

In addition to that, we have also committed to ensuring the scope of the programme, which I know is of particular concern to you. As Nick said earlier, it has been raised with me and the team by a number of parties. It was defined originally in direct negotiations with the BMA and the RCGP, and it was specifically designed to be of benefit to local commissioners. For reasons that are related to that, although I have to say that they are slightly opaque, certain classes of code were not included in the original scope, and those included musculoskeletal codes and also what are called sensitive codes.

We will be publishing a roadmap for how we will be offering people the chance to make a case for the inclusion of new codes of data within the extraction before we go to the pathfinder stage. We will obviously show the Committee details of that, because I know that it is a really important part of the programme moving forward.

In essence, there are many other detailed changes that we are making to the programme, but, broadly put, we hope that they are a combination of legislative an other safeguards, so that there can be complete transparency, and no doubt at all that linked data that are provided by people to this programme and the uses of that data are completely transparent, and that, on the other hand, they themselves are entirely aware of their right to object and for that objection to be upheld in the event that they do not want their data to be shared.

Q505 Chair: To clarify, there will be independent scrutiny of those pilot sites.

Tim Kelsey: Yes.

Q506 Chair: Did I hear you say that that will be under the auspices of Fiona Caldicott?

Tim Kelsey: Fiona chairs the independent information governance and oversight group, and that group will be one of the parties that will express an opinion about the degree to which we can assure the process for those pathfinders. Other leading voices, including Sally Davies, the CMO, and others, will also express a view. The care.data advisory group will express a view and the final decision will be made by the programme board of care.data, of which I am the senior responsible owner, but also in the context of the boards of NHS England and the Information Centre, as joint data controllers, being in agreement.

A number of key voices will need to be in agreement that we have achieved a suitable standard of public information and confidence before we move ahead.

Q507 David Tredinnick: We have your background.

Tim Kelsey: My personal background?

David Tredinnick: We all have your CVs, but you are executive director of transparent and open data at the Cabinet Office, and you have huge experience and have won awards for your innovative thinking. Is there anything in these new proposals that concerns you, given this huge range of experience?

Tim Kelsey: I am concerned about the fact that we are in a very different—the benefits case for this is really strong. We have continuing examples of poor cancer survival rates and late diagnosis of illness, which we know is harming people. There are people who are dying because we are not linking data in a way that will help us support general practice and local services to deliver earlier diagnosis of conditions.

That is on the one hand, and on the other we are in a 21st century environment where nothing is really safe data-wise. We have to be absolutely up front about that. We need to have a different kind of conversation with people about the trade-offs that we want them to be making with us—on the one hand how we service this extraordinarily important human benefit, but on the other give them the right to have a proper say in how their own data are shared.

To be honest, this is new territory, not only for healthcare but for public service in general. In this conversation, we are going to have to learn a lot. It will take time for us to make it happen in a way that is credible to some of those external authorities. It is a really big shame that this has not already happened. I think it is a long overdue conversation.

There are some big challenges, but all that I can do is to try and reassure the Committee that, in every single way that I can think of, we are trying to make this a problem that is owned not just by some grey bureaucrat in the public service but by the community of people who care about the future of the health service, such as Healthwatch, local charities, and the various GP leadership across the board.

Q508 Chair: May I raise one issue with you, Mr Kelsey? It is quite topical this week and I wonder whether you feel that it could be a risk. The Secretary of State has raised the possibility of red-flagging GPs, for example—naming and shaming was the term used. Do you think that that undermines the confidence that GPs would have in being involved in these pilot sites and wanting to share their data, if they see that it is going to be used in a naming and shaming kind of context rather than the context that was envisaged—that it should be about allowing us to identify outliers, and help them to improve their practice? Do you think that naming and shaming is a threat to participation in care.data?

Tim Kelsey: The Secretary of State and the Government have announced a series of plans to promote the transparency of healthcare. I applaud transparency, and I have long argued for it. The point that you are making is that it needs to be fair. I have to be clear that I am not entirely sure which dataset was being referred to by the Secretary of State, but for certain I support the push to the fair and open transparency of outcomes in healthcare.

Care.data, in terms of linking at this stage at least general practice data and hospital data, does enable a much more sensible and real conversation about the relative performance of different parts of the system. It is a complex issue, so in understanding the relative responsibility, say, for an avoidable death because of a late referral for cancer—

Q509 Chair: We are all agreed that identifying variation is important, but the question that I asked was whether that particular issue of naming and shaming or red-flagging is one that could set things back. As you will know, serious concerns were raised by the BMA and GPs about the original roll-out, and that is one of the reasons it was set back. Do you think that this particular announcement is likely to be, again, a barrier to their participation?

Tim Kelsey: To be honest, I spoke to the BMA this morning but I did not pick that up as an issue. I do not think that it is associating the legitimate public interest and understanding whether a local community is being served well or badly by a general practitioner or a local health service with data that is fair. I am not picking up that those announcements are impacting at this stage on people’s views around care.data.

In fact, just to be clear, I was at a meeting yesterday of the Nuffield Trust, where a number of GPs, wearing both their provider and their commissioner hats, were talking with enormous frustration about the degree to which the absence of these linked files, these linked data, safely shared, is contributing to their inability to do some important local things. However, I am not picking up people saying that the Government’s current push for transparency is somehow contaminating their interest in care.data.

Q510 Rosie Cooper: On GP pilots, will patients be written to—will they be required to opt in, or are you still operating the opt-out system? At our last meeting, when we discussed the form that people would have to complete in order to opt out, we generally agreed that it was quite aggressive and threatening. Have you changed that form?

Tim Kelsey: On the opt-out and the way that it was presented to people, and bearing in mind that this is not just a one-size-fits-all solution—there is the whole accessibility issue as well—it has been worked through in enormous detail. I reassure the Committee that the way in which the discussion is had will be much more personalised to the person with whom the conversation is being had, and we will evaluate that, just in terms of the opt-out.

In terms of the plan, it remains that it will be an opt-out based scheme. The reason for that, as the Committee will be aware, as you were told by Peter Weissberg at a previous hearing, is that the disease burden that we are aware of is with the most disadvantaged on the whole. The NHS has a fundamental obligation to serve the entire community, and for that reason and in order to plan services most effectively for need, we must have as much data as possible. Therefore, the opt-out is the remaining proposal that NHS England is proposing.

In terms of ways in which the opt-out will be properly informed to people, various people have raised with me the idea that a letter to patients may be an important part of raising awareness of their rights. In the pilot pathfinder phase, we will certainly be investigating whether that is a good tactic to make sure that people are properly informed.

Q511 Rosie Cooper: Can we go to simple sentences that involve what personalisation, as you just said it, means? The question was: has the form been changed?

Tim Kelsey: Yes, it has. The form is being changed.

Q512 Rosie Cooper: Has been changed or is being changed. Which? This is why I cannot listen to you guys. The language is waffly; it is all woolly; we are all over the shop. It has either been changed or it has not been changed. Which?

Kingsley Manning: We may be at slight cross-purposes here. You and Ms Keeley rightly had a go at us about the opt-out form that we have on our website.

Tim Kelsey: Oh, that is what you are referring to.

Kingsley Manning: We took that criticism away—it was fair criticism—and we consulted the ICO, and a new and much simpler and straightforward opt-out form is on our website today.

Q513 Rosie Cooper: If I go there today—

Kingsley Manning: We looked at it earlier, and it is there. I hope you find it.

Tim Kelsey: What I was referring to, in the context of these pilots, was that we want to work with GPs and patient organisations locally to develop the materials that will deliver to somebody with learning difficulties or somebody with other conditions the means of understanding what this is all about.

Q514 Rosie Cooper: Would you tell me about personalisation? How would you do that?

Tim Kelsey: As an example, one of my colleagues had a meeting with Mencap this week to talk about the materials appropriate for people with mental health difficulties in relation to explaining what an opt-out is—visual aids and all those sorts of things. One of the criticisms that were made at the time when we paused or delayed care.data was that we had not done enough work on accessibility of the information to the wider constituents of the community. That is what I mean.

Rosie Cooper: My father has been asked if he would contribute to cancer research, and he would want to, but I have written on it, “No, he won’t.” If you guys are involved, we will not have anything to do with it.

Chair: Valerie, do you feel that your question has been answered?

Valerie Vaz: Yes.

Chair: In that case, we shall move on.

Q515 Barbara Keeley: I have more questions about the opt-out. The question of respecting patient objections is one of the keys to moving forward with the pilots. I have to say that I rather resent you saying that I had a go at you about the consent form.

Kingsley Manning: You quite rightly made some useful and helpful points, and I was very grateful for that.

Q516 Barbara Keeley: That is a rather disparaging term, and it would be better if you did not use it.

Kingsley Manning: I was at the end of it.

Q517 Barbara Keeley: Fine. Okay.

You have a role in an organisation that has caused a lot of mess, a lot of pain and a lot of difficulties for people. I gave an example earlier of somebody who objected and who has come out of the NHS. I also gave the example of somebody who wrote to me saying that he was not as frank with his doctor as he might have been in a consultation because he was so worried about care.data. We have given examples where researchers in university are mining GP records. There are all kinds of things. There was a carelessness and, as we keep saying, it would be helpful to understand.

You touched on what progress you are making on that process, but this is the issue that you need to be more careful about. I was concerned at what you said about challenge—that you had appointed somebody from the research community that is going to most benefit. You said that somebody from Macmillan Cancer Relief fund was chairing the group on challenge. Do you not think that challenge needs to come from people who are not the best placed to benefit from moving forward with care.data?

Tim Kelsey: Care.data advisory group—I shall send round a note of the membership—includes Big Brother Watch and medConfidential. Macmillan chairs it and that is not just a research body but also provides health services. Membership also includes the current president of the Royal College of Psychiatrists, because there is a big issue about mental health data in relation to extraction.

Q518 Barbara Keeley: Yes, fine, but you said that it was chaired by somebody from Macmillan Cancer Relief. You are going to put at the heart of stakeholding, what you called a challenge group, somebody from an organisation that is most going to benefit. We all understand that cancer research organisations, and other research organisations and universities most want to benefit from this. They want more data—as you do yourself.

One point that we could go back to, because David made the point about your background, is that you were actually working for Dr Foster when the NHS Information Centre struck a deal on the release of data. I understand that you are an enthusiast yourself, but there is a difficulty in handling this, when moving forward on care.data with people like yourselves who are such enthusiasts.

You and I exchanged social media comments about “open data.” Perhaps everybody involved with challenge and with taking this forward is as much an enthusiast as you are. In some ways, you were not making much of a contribution earlier, when it was Sir Nick Partridge who was answering most of the questions. Does not your own background make it difficult for you to be in charge of the culture change that we have talked about? You are the enthusiast; you are the person who wants to go ahead at a pace. I have seen articles and presentations from people who work on this, and they are all enthusiastic about moving it forward. What we need to hear about is the caution, and the slow steps that will restore confidence. It is an interesting question for you.

Tim Kelsey: I do not think that I have ever faced as much of a challenge personally as I have faced in the last six months. It has been an important reflection, from people, including members of the Committee, who do not in any way share my world view at all, and may not support transparency. I think that people, on the whole, seem to support the use of data to drive improvements in healthcare, but not universally so. My response to that, and not only my response but the response of NHS England and of the community of people who care about an informed health service is, in this particular programme, to offer total transparency. With the phased rollouts, it is not me doing it; it will be a group of GPs, as I say up to about 500, from whom you will be able to hear directly. Were they able to discharge their responsibilities? Do patients in those practices feel that they understood their rights? It is a fair point: I am an enthusiast, but I also think that we are learning to listen in a way that I think will provide a solid basis for this kind of project moving forward.

Q519 Barbara Keeley: Was there independent scrutiny of the selection of those pilots, as Dame Fiona suggested? You said that she had been involved in monitoring.

Tim Kelsey: Yes, and not just monitoring but also in the process for selection. Yes, there will be a variety of independent inputs into how those practices are selected, and obviously we have been working with all the people that you would expect, including the GP bodies, to work that out, so that they were properly represented. One of the commitments that we have made is to try as hard as we can to make sure that, within those participating practices, are those that are sceptical, cynical or even critical of the programme.

Q520 Barbara Keeley: I have a further question about the use of data rooms for researchers. This was a safeguard. We have talked about various safeguards, and keeping the data, or some types of data, at the Information Centre requires researchers to go into that room. Perhaps you would tell us anything that you have learned from that experiment, and whether researchers have been happy with doing things in that way. These safeguards are very important.

Tim Kelsey: They are very important. I referenced it a little earlier that one of the preconditions for the initial extractions, even from the pilot sites, will be the publication by the Information Centre of its proposals for sealed environment facilities, and most users of these data will be either mandated or strongly encouraged to use them, subject to CAG oversight. There may be bodies that are given the ability to handle the data externally, but that will be subject to independent scrutiny. It will be a precondition of us beginning even the extractions of the pathfinder phase that those proposals are published.

Q521 Valerie Vaz: I wish to follow up on that. Will you say when the pilots are due to be over?

Tim Kelsey: At the moment, there are a number of preconditions that need to be met before they can even start. One of them is clarity around the regulations, which we talked about, in relation to being completely clear that commercial insurance will not be permitted any use of these data, and a variety of other components relevant to the Care Act.

There are some other preconditions, one of which is that the Information Centre has to publish its code of practice, which is a statutory requirement currently out to consultation, that it has published its proposals for the sealed environment that will be offered to people with appropriate authority to look at the data and so on—and, indeed, that the GP practices participating and their patient representatives groups have agreed that the materials and the style of the programme are appropriate, in their view. We will also have conducted independent research, which has now finally been commissioned, to ensure not only that we have a baseline in relation to public perception both nationally and within those GP pilot areas, but that we can monitor the degree to which there is indeed some view that at least the materials, and people’s sense of being invited to make a decision, has been made real.

All those things will be required before we can even start. My view right now is that, all being well, we will be looking at an initiation of the first extractions during the course of late October and early November, but there are no artificial deadlines. It is important that we get this right, so, if we feel uncomfortable at that point, we shall give ourselves more time.

Q522 Valerie Vaz: In your estimation, will your time frame go to the other side of May 2015?

Tim Kelsey: In terms of the national roll out?

Valerie Vaz: No, the pilots.

Tim Kelsey: The actual extraction is a two-second process, the data being removed from the software systems of GP practices, so the important bit is obviously when patients and GPs will be able to have their conversation.

Q523 Valerie Vaz: I know that, but you have to assess it, don’t you? You don’t have a pilot unless you want to assess the evidence.

Tim Kelsey: There will be a period during which the evaluation will be considered and recommendations made. I do not know, but that may take a month after the extractions have been determined, so that probably takes us into the early part of next year. There will then be a lot of consideration, and whether we move to a further set of pilots or beyond that will have to be decided at that time. I cannot give you a deadline, a time when it will happen.

Q524 Valerie Vaz: We are talking about the middle of 2015.

Tim Kelsey: It depends.

Q525 Valerie Vaz: What have you built within the system so that patients can find out where their identifiable data have gone? Is there any way that a patient can find out where their data have gone?

Tim Kelsey: This relates to the point that I was just discussing with the person from medConfidential outside. We want people to know how their data sharing benefited other people. It is really important that people can be aware that, if they take the decision to participate, they can see how their data has been used and to what benefit. One of the things that the Information Centre has committed to, and it will also be a precondition for the launch of the pathfinders, is that there is a process of complete transparency about the uses to which these data are put, as we have just discussed in terms of individual organisations and the uses to which the data are put. People will be able to track to some degree the way in which their data have benefited research. Is that what you wanted?

Q526 Valerie Vaz: Joe and Josephine public—it is their data. Is there anything in the system so that a person can know where their data have gone and for what purpose? It is a simple, straightforward question.

Tim Kelsey: The data will flow into the Information Centre if people do not opt out.

Q527 Valerie Vaz: They are not going to know—is that what you are saying?

Tim Kelsey: The Information Centre will then—

Q528 Rosie Cooper: In that case, you are not as enthusiastic for transparency as you thought you were.

Kingsley Manning: I think that this is a very important question, and I want to address it. You are talking about confidential data. If it is identifiable, the only likely reason that we would ever supply it to a third party, whoever it was, would be under section 251, colloquially. Under that, there is a requirement that we agree only if they cannot get individual consent. Notice of those has to be posted and individuals have to be given an opportunity to object.

At the moment, you have to go to the HRA website, which is all very complicated, but in our process we will increasingly make that available directly on our site, so that you will be able to see that these studies apply. One of the things that we are looking at is to put together an index system so that you will be able to ask us in future, “Where were my confidential data passed to? Which studies did they go to?” That is an entirely and absolutely appropriate thing to do. Pseudonymisation data are more difficult, because, once they leave us, they are de-identified.

Q529 Valerie Vaz: And if they are not?

Kingsley Manning: They are de-identified.

Q530 Chair: We will come on to that in a moment.

Kingsley Manning: That is more difficult. One of things that we are requiring under the data services contract that we are going to have is statement of associated benefits. If you come to us and say that you want the data for this purpose, we expect you to come back. You will be required to come back and say, “Actually, we did it, and this is the public benefit of it.” We will want to see a benefit case for it. Traceability, however, is an entirely reasonable expectation. It is up to us to find technical ways of doing it.

Q531 Barbara Keeley: We talked about this in earlier meetings in greater depth. We were told, I think by Dr Hippisley-Cox, that there was mining by undergraduates or graduates, people at universities, of NHS GP records—that there were pilots to do that, and that it was done without that support, and I have raised it a couple of times. Can you assure us that nothing of that sort is going on any more? I have sought assurances and not got them in the past. You have been very clear about this.

Kingsley Manning: At the moment, we do not have any access to GP records other than for purposes of things like QOF and immunisation records and the rest of it.

Q532 Barbara Keeley: Who would know, if not yourselves?

Kingsley Manning: One of the things for which we have been commissioned by the Secretary of State is to take a much broader responsibility with regard to data security across the system as a whole. I share your concern that we hear equally colloquial stories about this or that being done.

Q533 Barbara Keeley: It was not a colloquial story; it was given to us in evidence.

Kingsley Manning: Where we have hard evidence, it would clearly be illegal. We would alert the ICO immediately and we would take action against any organisation that was misusing data.

Tim Kelsey: If Julia has examples, she needs to report them to the ICO.

Kingsley Manning: Absolutely. If anybody has any evidence of this, then we want to know, and so does the ICO. We are generally concerned, to be blunt, about the level of data security across the system, in the light of the improvements in technology, the increased risk from state and state-sponsored organisations and organised crime.

Q534 Barbara Keeley: I shall send you the information that I was given, but I raise it because we were given it.

Kingsley Manning: One of the things that we are encouraging in our own organisation is the notion that the individuals should tell us about data breaches. We want more data breaches to be responded to; we want to know what goes on in the system, because that is the only way that we will get it better.

Q535 Barbara Keeley: To be clear, individuals are not going to know that their records are being mined. The research community knows.

Kingsley Manning: If somebody knows where this is happening, then in our view they have a public duty to tell us.

Q536 Rosie Cooper: There is a duty for you not to allow it to happen. If people lose a few bits of data, if a hospital loses a laptop or a hard drive, there is mayhem, but you can lose 50 million and it is okay.

Kingsley Manning: We have not lost it.

Q537 Rosie Cooper: You have just given it away.

Kingsley Manning: No, we have not. It is under a strict regime.

Chair: Charlotte is next, and we have already dealt with the PricewaterhouseCoopers issue.

Q538 Charlotte Leslie: I am going to take you back to a question that I asked much earlier. There has been a lack of clarity and it is easier to get things cleared now rather than you write me letters later.

It is regarding the What About Youth study. I would like some clarity for the public record. It did not receive section 251 support. On the website, it says, “We have received approval to use your child’s contact details only for this study…Your contact details were taken from NHS Registration data, held by the Health and Social Care Information Centre and the Department for Education’s National Pupil Database, which contains details of every pupil in England. The NHS Registration data has been used as it is a reliable source” and so on.

It says, “We have received approval” for this study. People are asking whether, if it has not received section 251 approval, it has received any approval. Would you clarify that, because it appears to the layman to be contradictory to what you told us earlier?

Kingsley Manning: I am sorry, but I was given notice of this half an hour before coming here this afternoon. I am not going to comment any further than I did earlier. To do so would be improper. I have given you what I am aware of. I am sorry, but I cannot go beyond that at this point.

Q539 Charlotte Leslie: Perhaps you will write to us.

Kingsley Manning: Indeed, if you had put down a parliamentary question. But I was alerted to the matter this morning. We will give you a complete answer.

Q540 Charlotte Leslie: I understand that. You will understand that the Committee’s job is to raise concerns on behalf of the public, and this appears to be contradictory.

Kingsley Manning: I am sorry, but I am the non-executive director of an organisation of 2,200 people. I was given half an hour’s notice of this question. I will ensure that you get the detailed response that you require.

Charlotte Leslie: That would be very kind. Thank you.

Q541 Barbara Keeley: I have the reference to information that the Committee was given, which I mentioned in debate in the House. Professor Hippisley-Cox and Professor Ross Anderson pointed out in evidence to us that research has already made use of free text from GP patient records. Medical students and computer science postgraduates at the University of Sussex in Brighton and Sussex medical school have begun analysing doctors’ notes taken from free text. We understand that that was done without section 251 support. That is the evidence that was given to us. The reason I have raised it is because of concern.

Kingsley Manning: We extract no free text from GP systems. I am alarmed by what you say.

Barbara Keeley: I understand that, but you pointed out that you should be in control of that, and I think that you should.

Q542 Chair: On that point about free text, Mr Kelsey, may I ask if you would like to put on record whether you have any plans to extract free text in future? It is in free text that people often record their most personal data, and the public would feel concerned about that if they felt that there was an intention to extract free text.

Tim Kelsey: There is no current intention, nor is it in scope, for care.data to extract free text from GP systems. As I said, we are going to have a process that will be published in advance of the pathfinders to make sure that other omissions, like musculoskeletal, are included, but we do not plan to include free text.

Sir Nick Partridge: That is why I added as an appendix to my report what an HES data extract looks like.

Chair: Thank you. We come now to the question of pseudonymisation.

Q543 David Tredinnick: I am sorry that I had to leave the room for various reasons. Another concern has been that the data collected from GP records will contain specific identifiable information about patients that will then be anonymised by HSCIC. Has any progress been made on pseudonymising data at the point of collection? I think I have just about pronounced that correctly.

Kingsley Manning: We have set up a working group on the potential opportunities for pseudonymisation at source. That work is going on, but it is incredibly diverse. It is a debate and discussion that raises enormous technical challenges but also technical and emotional debate.

We are open-minded on this. We will publish an interim report before the end of the year. It is one of the routes to development that we are very keen to explore, to see about its viability. That work is ongoing, and I am happy to come back and report on it when we reach the stage where we have a conclusion.

Q544 Chair: It is the theoretical possibility, even though it would be illegal, of people being able to track data back to individuals that seems to be at the heart of this. That is something, as a group, you recognise.

Kingsley Manning: The problem is that linkage requires some degree of identification, so we are in this tremendously difficult bind. If we eliminate any risk of re-identification, we cannot link the data. Even if we pseudonymised at source, we would still have to have some way in which we could link the data, and that would require us to have some process of putting identifiers in.

Q545 Chair: You would be linking it with a hospital record not necessarily back to an individual that somebody could identify.

Kingsley Manning: We would have to know which hospital record went with which GP record. It is very tricky little problem, one that we are spending a lot of time and effort on.

Q546 Chair: You are actively looking at that.

Kingsley Manning: As I said, we have a working party on it. By the way, it is populated by a whole range of external experts; it is not an internal one to us. We are taking the best available advice.

Q547 David Tredinnick: At our meeting of 8 April, Max Jones said that HSCIC was undertaking a review of all available pseudonymisation techniques, which was going to be put to a steering group. Have any conclusions been drawn yet?

Kingsley Manning: As I said, interim outcomes will be available, I think, before Christmas.

Tim Kelsey: I am not a technical expert, but, unfortunately, at the moment, the NHS at large is in a position where it has not comprehensively adopted safe digital record keeping.

In our primary care and our general practice facilities, we have probably the world’s most advanced digital infrastructure, because the taxpayer has invested over a decade in building that. In our hospitals, we still have widespread paper record keeping. As a result, pseudonymisation at source depends in part at least on people using similar systems for their data handling. It will be quite a long period of time, even if we were to adopt that strategy—I have to say that I find it very attractive—before we could simply build it in a way that would enable data linkage to deliver the benefits that we have just described.

Pseudonymisation, to which this programme is fundamentally committed, whether it is in the Information Centre or at the GP source, needs to be as safe as is possible, but the opt-out exists for people who are still not persuaded that it is as safe as it can be. The Information Centre is conducting a review, with a whole range of experts, including Julia.

Kingsley Manning: Tim makes a very good point. Pseudonymisation at source might be most feasible within the GP system, but frankly some of the hospital systems technically cannot do it, so we have to think about ways to do this across the system as a whole.

Q548 Chair: It is enormously technically challenging, but you are looking at it.

Tim Kelsey: To enable linkage, yes.

Q549 Chair: I have a general question. Mr Kelsey, you have talked about people owning their records and being able to share them with whomever they like. That is of fundamental importance. We have been talking about a long-term conditions report that is coming out tomorrow, so we recognise the benefits of patients controlling their records and sharing them.

Given that fundamental principle that you own your own records, doesn’t that go to the heart of people then saying, “In that case, why don’t I have the ability to opt in, rather than opting out?” I completely see that you have set out the benefits of opting out, but is there a conflict between those two principles?

Tim Kelsey: The evidence is really clear that the people who need health services most receive them least, and they are also the least likely to opt in if we were to offer that service. If we want an inclusive national health service, we have to be able to plan in the interests of the entire community, particularly for those who would be least likely to opt in to the care.data scheme. That, however, is a public debate, and we can have it, but people take different positions.

Meanwhile, it is absolutely fundamental that we give people the right not just to access their own data but to do as they wish with them. In parallel with the care.data programme, NHS England is committed to providing citizens with access to GP records on their own terms, online if they wish it, from March 2015. Indeed, in the current GP contract, that requirement exists; it has been accepted in the contract. This year, GPs are required to provide that service. Next year, in agreement with the BMA, we will be enhancing the amount of data that flow, should people want to receive it online.

I share with you the fundamental view that this is people’s data, and that they should be able to gain access to them, for a whole range of different benefits. Given where we are digitally, in a future world we can imagine that, at that point, people would be able to express a preference for how those data might be used by third parties, but we are now in a situation where, for secondary uses of the sort that care.data represents—for the broader benefits of us and society—the only viable answer if you wanted to have a long-term sustainable health service is for an opt-out system to exist.

Q550 Chair: Further to the point about how people opt out, do you envisage a system where people could state their preferences? If they do decide to opt out, they could say which bits of the system they want to opt out of and which bits they would be happy to opt in to, and making that more specific, or would they be opting out of everything?

Tim Kelsey: Ben Goldacre, who is on the care.data advisory group, is among the voices calling for exactly that kind of preference. The first thing to say is that we are listening. We want to find ways in which we can do as much as possible to alleviate the concerns that people have about a poor opt-out. What we want is a good opt-out—in other words, an opt-out that is properly supported with information so that people can make a proper decision, and an opt-out that, as far as possible, gives people the chance to express their preferences. We have some logistical and technical issues, but we are working with Ben and others to figure out what the roadmap might be to a point where we can offer that.

Q551 Chair: Is it so technically difficult to say, “I would like to opt my data in to bona fide medical research but not for other purposes”?

Tim Kelsey: The matter has been raised and we are listening, but there are some technical complications.

Kingsley Manning: We have put in place a piece of work under Professor Martin Severs to look at the issue of consent and objection across the system as a whole. As I commented last time, at the moment it is incredibly confusing and it is not consistent across the totality. One of the things that we are looking at is the concept of dynamic or contextual consent—the notion that you could be specific. Technically, it is challenging and difficult, and it also raises some interesting questions about the security of the data once you pass them to third parties.

Q552 Chair: Exactly. Once the information has gone, it has gone, so you could not retrospectively withdraw it.

Kingsley Manning: If I download the data to my diabetes diary, for example, and then visit my GP, how do I reintegrate that data back into the GP system? Again, on the usage, I might change my mind. So it is technically challenging.

In their consultation document published last Wednesday, the Government made a commitment to move to a system based to a greater extent on consent, and that is a position that we very much support. The challenge for us is to find ways that are technically feasible and not unnecessarily expensive.

Q553 Chair: Is that going to be part of the pilot, so you will be comparing different ways?

Kingsley Manning: No. It is not feasible in the short term.

Q554 Rosie Cooper: Mr Kelsey, when we were talking about opting in or opting out, you said that the people who were most in need of health services would be those who were most unlikely to opt in. If I take that thought to its logical conclusion, if they are less likely to opt in, they are also less likely to express their preferences. They are just going to get what they are given, aren’t they?

Tim Kelsey: That is why we need to work really hard on creating a good opt-out. The challenge is that what Victor Adebowale has described as the inverse care law is a reality. We have to find ways in which we can communicate with all of our society, but particularly the most disadvantaged, to make sure that they are not in the position that you describe, so that they are as fully aware of their rights to object anybody else. It is a significant challenge, but we have to find a way to address it. That is why the care.data pilots are being phased; it is so that we can be transparent and properly understand how best to achieve that.

I honestly do not think that, so far, any public service has cracked the problem of inclusion on the scale that we are currently talking about. It is not a small undertaking.

Rosie Cooper: No, but no public service has taken all our medical records and thrown them into the ether, either.

Q555 Chair: A specific point which has been raised with me is what data fields would still be extracted, even if people opted out? It is a query that someone sent in.

Tim Kelsey: For clarity, may I read this out, so that we can be absolutely clear that it is on the record?

Once your objection is recorded, no information about you will leave your general practice other than in exceptional circumstances—e.g. court order or disease outbreak—under section 251. However, the HSCIC may hold data about you from other parts of the NHS—e.g. your local hospital—so your GP will send a message to the HSCIC to ensure that it also implements your wishes—i.e. it deletes the whole record that it holds on you. For that purpose this message will include your NHS number so that other bits of data can be deleted.

That is the way it works.

Q556 Chair: The extraction from hospital records will cease as well, if you opt out.

Tim Kelsey: Yes. For care.data it will.

Q557 Chair: Other forms of data will still be flowing from the hospital record, as previously.

Tim Kelsey: Yes.

Kingsley Manning: For direct care purposes, yes.

Q558 David Tredinnick: I have one last question. What issues still need to be resolved before the data collection can begin in the pilot areas?

Tim Kelsey: I say this for the record. What I am going to do, if it is okay, is to send the care.data advisory group’s minutes and papers that are published. It recently considered, as did the programme board, a paper on planning principles—the preconditions that need to have been met before the extractions can start, even in the pathfinder areas. In case I miss anything, I shall make sure that you have that.

Essentially, it boils down to the Information Centre code of practice being published, regulations on the Care Act being published, in terms of how CAG will operate and so on, and a variety of other things. I shall send you the papers. There are a number of things, and, if they are not met, then the programme board has determined that we should wait until they are, and I can then be explicit about them.

Q559 Chair: In terms of the public’s concerns, are there are any other issues that you wish to comment on? Are there other points that you would like to comment on that you have not been specifically asked about this afternoon?

Tim Kelsey: One of the reasons why there is still genuine public concern about this idea that, as Rosie said, somehow millions of health records are being dumped, is that we are not being accessible enough about the way in which the benefits case is being made. One of the things that I feel strongly about is that we need to be intelligent and clear in making that benefits case, not just in terms of the way in which the local health service community can plan services in future but directly. It is about how it can support GPs, right now in, for example, determining which older frail people in the community at this minute have not yet gone to hospital with emergency admissions but who are at risk of doing so, and how can they be supported. It will help the GP to identify those people because we are able to produce these linked data.

One of the things that we have not discussed is the benefits case. We will be working really hard—insights and contributions gratefully accepted—to make sure that we are really clear with people about the direct benefits to them and their families in relation to these data, and to improve the quality of care services.

Kingsley Manning: There are a couple of other issues that we are very concerned about, which CAG should address as soon as possible. There is considerable and very real concern about the linkage of clinical data with data held by other Government Departments, not least HMRC and benefits payments and so forth. That needs to be addressed directly by CAG. We need that absolutely clear. I am also very concerned about that being done at a local level, because the impact potentially at the local community level is much greater. I would wish to have guidance on that and on the issues of commerciality.

Q560 Chair: In other words, if you get requests for data, say from the DWP for data—

Kingsley Manning: We have never had that. I am particularly concerned that, at the local government level, there is real fear and worry, which is perfectly understandable, about, for example, a link between healthcare data and housing benefit, and so forth. One of the issues around social care integration, for example, is understanding how we control that in the most effective manner. How do we get the benefits of integration without potentially worrying people sick about the fact that it might have an impact on their benefit payments? On that, we need to have clarity.

Q561 Rosie Cooper: Perhaps we should opt out.

Kingsley Manning: No, I don’t think they should opt out.

Rosie Cooper: I do. You can’t be trusted. Sadly, you can’t be trusted.

Chair: Rosie, that is unhelpful.

Rosie Cooper: I am expressing an opinion.

Chair: Yes, it is an opinion. Is there a question?

Rosie Cooper: Yes. Why would I, as a Member of Parliament, go out there and tell people that this is a really good thing, and that it will benefit them, their families and their communities—that is what it could do, and I absolutely believe in that—when you guys, or whoever you want to blame, have made such a mess of it so far? We are talking about the benefits, but some people’s insurance policies have already gone up. One of my constituents has had it doubled, and you say that it cannot happen. Why would I go out and do it? You are asking me to tell them that they are going to get these opaque benefits when their personal information may be used in a way that they would not want.

Q562 David Tredinnick: If I may, I ask one last thing. This issue is hugely important for the healthcare of the nation. There have been issues in the past, but you, Mr Kelsey, have identified with your experience where we are going in future. How great a challenge do all three of you regard this in terms of your experience and work? Where does this rate on the scale, and how important do you think it is—I have expressed an opinion—in terms of healthcare for the nation?

Sir Nick Partridge: I will not be opting out, because I believe that the minimal risk of my records being identified is far outweighed by the personal health benefit to me, my family and my community. It seems to me to be clear that the other issues that you will be grappling with over the next few years—the impact of an ageing population and the fiscal issues that the NHS faces—mean that, if we are to properly redesign health and social care and to do it in a way that is integrated and that benefits local communities and whole health economies, we can do that only if we have a better understanding of the real flows of people, the changes in the disease burden, what works and what the outcomes are. We must bring down the variation that you have rightly identified, and improve outcomes overall. We can do that only with data, with all the risks and the issues that we learn when going along this path. As a patient, knowing what I can access through my smartphone, I want the NHS to keep up with that. I want it to be the guardian of my data. Part of my report is recognising and owning up to where that has not happened in the past, and striving to ensure that we do it better in future.

Kingsley Manning: I am saddened by some of the comments that have been made this afternoon about the lack of trust and also by the impugning of our motivation. That was disappointing. I took on this job and its associated pain and grief only because I fundamentally believe, after 30 or 40 years of working with the NHS, that we have a once-in- a-generation opportunity to get the technology and the data structures right. If we do not get it right in the next few years, we will have lost the plot.

We made big mistakes over the last 10 years, and we have a once-in-a-generation chance to get it right. I am absolutely clear that we have to engage the public in an open debate about the balance of risks and benefits. There will always be risks with data. There were risks with the Lloyd George envelope; notes were lost, they flew and went all over the place. There will always be risks, but those risks and the benefits are both enhanced by the technology.

We have to find ways of ensuring that we use the best available technology to provide the best available health and social care, and care and delivered care, not just within the NHS but for the whole system. We have the potential technology to do it, but we have to find social and cultural ways to secure the support of professionals, carers and staff. We have a once-in-a-generation opportunity to do that. Personally, I am completely committed to doing that, and I know that my board is as well.

Tim Kelsey: We have a very big job to do, and I hope that you will hold us to account in delivering it.

Q563 Chair: Would you agree that, if people want to snoop on your personal medical records, there are already far easier ways for them to do it, and that that is an ongoing task?

Kingsley Manning: One of our great concerns, and it is a real problem, is of someone blagging their way in to the A and E department.

Q564 Rosie Cooper: Can somebody tell me how someone can get my medical records now? The Chair said that there were easier ways to get hold of medical records. What are they?

Tim Kelsey: There are some instances. For example, the newspapers have posed as other people in order to ring up the secretary or receptionist at the GP’s practice.

Kingsley Manning: One of the things that we are undertaking on behalf of the Secretary of State is to start a progress of penetration testing and social engineering testing across the system as a whole. We are extremely concerned about the human factor, which is potentially more worrying than the technical aspect.

Rosie Cooper: Thank you all very much. Let me give you a clue. People did not like the Department of Transport selling their information, and that was only their addresses from the car licence plates. You guys should have had a better clue about what you were doing with people’s personal medical information.

Chair: Thank you very much for coming here this afternoon.

Oral evidence: Handling NHS patient data , HC 484 55