Monday 15 March 2010

Do we need explicitly consenting patients?


I’ve just had a letter from my local health authority. It tells me that the National Health Service is changing the way my health information is stored and managed.

Apparently, an NHS summary care record is being introduced to help deliver better, safer care. This electronic healthcare record is to be made available to authorised healthcare staff (whoever they turn out to be) so that the clinicians treating me will have immediate access to important information about me. And, over time, the local health authority may add details of any health problems, summaries of my care and the professionals treating me. I’ll even be able to go on line to view my summary care record – and I wonder just how many others will be able to go on line and view my record too.

The nice bit about all of this is that I don’t have to do anything. Not a thing. No forms to fill in. No phone calls to make to confirm I am who the authorities think I am, and that my details are all up to date. It’s not like I’m applying for a postal vote, after all. The wonderful news is that “If your GP practice does not hear from you by 24th May 2010 it will be assumed that you are happy to have a summary care record, and the process of creating a record for you will begin.”

So, in medical terms, in order that the local health service can change the way it deals with my medical information (or sensitive data, as the data protection gods knowingly call it), I don’t need to offer any consent – or even an acknowledgement that the letter that was addressed to me actually reached me. I wonder how many “homes in multiple occupation” will all have had their letters safely delivered to the various addressees. I guess we’ll never know – and the overwhelming majority of us will probably not care.

I don’t think I’ll care about this too much just yet – unless and until, that is, I receive an assessment letter from someone up in Wilmslow indicating that it is their preliminary view that I have taken insufficient steps to notify someone who has complained to them of some new form of processing, and that I’ve been careless in obtaining consents, and accordingly that I have breached a Data Protection Principle.

I would have loved to have been a fly on the wall when the NHS oiks explained to the Commissioner just what it was they were intending to so, and why express consent wasn’t on the cards, so they were going to make it harder for people who get upset about these things to register their objection. After all, the letter I was sent from my local health authority tells me that the form to complete and return to my GP if I do not want them to create a record is not part of the package of literature that is sent explaining the advantages of the new scheme. Instead, you can find it on the internet at www.london.nhs.uk/noscr. Oh no you can’t. That’s the page which basically provides me with the information that was in the letter that I recently received. You have to point your browser to another link, http://www.connectingforhealth.nhs.uk/systemsandservices/scr/documents/optout.pdf
and then you have to print off the form and return it to the participating GP practice. Apparently this can’t be done on-line – perhaps they don’t trust electronic communications. But I also apparently don’t need to offer any proofs of identity when sending the completed form to my GP’s practice.

I appreciate the way that Tracy, the Chief Executive of my NHS Trust, has made it so easy for me to have one. As she lovingly wrote the end of her letter, “If you are happy to have a summary care record then you do not need to do anything, as this will happen automatically.”

All quite interesting, really. But what’s the point?

If this is a new purpose, then the law would expect a responsible data controller to obtain the consent of an affected individual. And it if related to a new way of processing sensitive data then the data controller would be expected to obtain the explicit consent of the affected individual. As I am not being offered the opportunity to offer any form of meaningful consent (unless we have finally killed off the old mantra “silence does not equal consent”) then surely the only way this scheme is going to work legitimately is if the health authority is not processing my sensitive personal data for any new purpose in the first place. And if the Health Authority is not adopting a new purpose then why on earth is it writing to me to give me the opportunity to object to my data being used for this purpose? The NHS is strapped for cash. Budgets are tighter than ever, and essestial services are increasingly at risk. I would have much preferred the money spent on this exercise to have been diverted to another purpose - like protecting children such as “Baby P” from his parents, and from the overstretched healthcare professionals within my Health Authority who so badly let the little boy down.

If Haringey Health Authority really is to retain credibility, let’s have it spending scarce resources where it most matters - not bothering people about stuff that really isn’t as important as fixing the blindingly obvious basics within our healthcare system. It’s giving Data Protection a bad name!