tommorris.org

© 2024 Tom Morris

The NHS Data Commandments and the memory hole


nhs privacy data
7 min read

Back in 2018, the British government published a document on the World Wide Web. This happens fairly often. In fact, they have a whole publishing platform for this. I started writing a post critiquing this document, as I felt it was a poorly considered idea. Before I got around to publishing it, the document disappeared from the Internet. Life went on. I was busy, and there are always many more blog post drafts that don’t ever get written or published.

I still find it rather disconcerting that the government—or a key government service provider like the NHS—can just remove policy documents from their website without any explanation, and with no archive. If they can do it for something fairly benign like the post you are about to read, then they can do it for more significant publications, and that would be bad.

I’m publishing this post, partly because I would rather prefer it if the government/NHS didn’t just put documents in the memory hole, but also because the current discussions around NHS data reuse are reigniting—especially in the context of Brexit and a future UK–US trade deal.

The “data commandments” may no longer reflect the intentions of the NHS (I’m pretty sure they don’t), but it is worth having them on the record rather than consigned to /dev/null, if only so historians and scholars of law, government and public policy can see the evolution of attitudes by policy makers on this important topic.

Original post

  1. The data, and their definitions, should by design introduce no harm to the patient.

  2. Information and Data are an asset.

  3. Data held must have an identified purpose.

  4. Data must be categorised at the most appropriate security level.

  5. Data and Information must be consistent across the health and care system to enable effective data portability. Definitions must be made available to users or applications on request in a machine-readable format.

  6. Identifiable data should have a unique identifier associated with it that is used consistently across health and care systems (e.g. NHS Number).

  7. Data and information should be reusable across the health and care system – and where appropriate beyond for secondary research purposes.

  8. All operational data collected should be used to assist the management of the health and care system, and not only for secondary use cases that are not defined as part of operational use.

  9. Data should be readily available to enable the appropriate level of sharing to authorised users. The appropriate level of sharing will be determined by the security classification of the data.

  10. Each NHS data asset must have an owner accountable for data quality, definitions, policies, business decisions, and enforcement of enterprise business rules for the data.

An annotated commentary

When the post was originally published, I decided to annotate it as a means to demonstrate the issues with the thinking that underlies it.

  1. The data, and their definitions, should by design introduce no harm to the patient, or to wider society

    • It is all too easy to see data use and misuse through an individualistic lens. Privacy is broadly framed in the sense of the misuse of an individual’s data. This ignores the equally significant problem of broad social abuse. Even if you opt out of your data being used by a particular company, you cannot opt out of a society where companies like Google and Facebook use generalised data trends based on demographics to target, segment and individualise.

  2. Information and Data are an asset, but also an enormous potential liability.

    • Everyone handling data needs to know that even the most clinically or operationally valuable data could turn into a massive liability very quickly.
    • If data is to be treated as an asset, it is an asset held on trust from the public and must be treated as such.

  3. Data held must have an identified purpose. Data which no longer serves any identifiable purpose should be deleted to prevent data leaks.

    • Dispose of data with all the care one would with used needles or nuclear waste.
    • The identified purpose should be specified and specific, not general. Use beyond the specific, specified purpose should be forbidden.

  4. Data must be categorised at the most appropriate security level, always erring on the side of caution when one is unsure.

    • Anonymisation is often impossible, and assurances of anonymisation cannot be relied upon.

  5. Data and Information must be consistent across the health and care system to enable effective data portability. Definitions must be made available to users or applications on request in a machine-readable format, and a human readable format.

    • Human readability of data is essential for correcting errors, understanding what is going on with data, and understanding whether one should object. Non-technical people are not going to read a JSON file or a SQL schema.

  6. Identifiable data should have a unique identifier associated with it that is used consistently across health and care systems (e.g. NHS Number) unless anonymity and disconnection from wider NHS systems serves the needs of patients, especially from at-risk communities.

    • For instance: many sexual health services are used by mostly at-risk people (LGBTQ+ communities, sex workers, injecting drug users, victims of rape and sexual assault etc.) who do not want their access to HIV testing and other sexual health services intertwined with the wider medical system so as to avoid the risk of stigma, discrimination and so on. Such clinics often do not require an NHS Number or strong proof of identity, nor do they share data with GPs, and may only require from patients a name (which could be a pseudonym and is not checked), and a phone number (which may be a disposable ‘burner’ phone). Were patients to find out that their HIV status, or STI test results, might be shared with the wider health and care system, they may avoid seeking testing, which would have a negative outcome for them as patients, and for public health in the UK and internationally.
    • Services providing drug treatment and support may also require similar levels of confidentiality as patients may disclose to clinical or care staff information about behaviour which is against the criminal law.
    • The counterargument “well, discrimination on the basis of disability (including HIV status) is illegal” is not an acceptable defence of data sharing practices that put at-risk people further at risk. Employers, landlords and service providers can break the law, sometimes with impunity.
    • Clinical service providers who determine that a pressing need (including trust) of those communities necessitates disconnection from wider data sharing policy, or the acceptance of a minimal, disposable identity in place of full patient data, should be able to do so without linking that sensitive information with the wider healthcare system.
    • Doctors and other medical professionals are required to disclose information under various disclosure rules: that is their professional responsibility, not the job of the database state, especially as the latter has no professional standards to adhere to as clinicians do, and no professional repercussion for mistakes.

  7. Data and information should be reusable across the health and care system – and where appropriate beyond for secondary research purposes - but with patient consent, trust and ethical approval as the primary basis.

    • Any data collected about patients must be reused for research purposes only with the same level of ethical approval that would be used for other medical studies.
    • Where possible, patients should be notified upon their data being used for secondary research, and given the ability to opt-out, prospectively and retrospectively.

  8. All operational data collected should be used to assist the management of the health and care system, and not only for secondary use cases that are not defined as part of operational use.

    • A clear bright line should be drawn between clinical and operational data.
    • Data reusers in the NHS need to be aware that legal responsibility for giving accurate information can now fall on the entire service, not just on clinical staff—see Darnley v Croydon Health Services NHS Trust [2018] UKSC 50.

  9. Data should be readily available to enable the appropriate level of sharing to authorised users. The appropriate level of sharing will be determined by the security classification of the data, and the consent of patients.

    • Any system that is not based on the consent of patients can and will lose the support and trust of those patients extremely quickly.

  10. Each NHS data asset must have an owner accountable for data quality, definitions, policies, business decisions, and enforcement of enterprise business rules for the data.

    • If nobody can be held accountable for a piece of data, that’s probably the best time to get rid of it.
Essential reading on the MIT Media Lab Hart contracts, not smart contracts