IN THE LAST FIVE YEARS, MORE SCIENTIFIC DATA HAS BEEN GENERATED THAN IN THE ENTIRE HISTORY OF MANKIND
On 22 June 2021, the Department of Health and Social Care (DHSC) published its draft policy paper titled 'Data Saves Lives, reshaping health and social care with data'. Setting out ambitious plans to harness the potential of data in health and care, the ambitious strategy focuses on the benefits of digitisation of the NHS and other care authorities, while maintaining the highest standards of data protection and ethics. The coronavirus pandemic has accelerated the digitisation of the health and social care system and the paper aims to provide a blueprint for the government's future plans. However, the implementation of the UK General Data Protection Regulation (UK GDPR) means that new uses and sharing of health data require strict legal foundations ingrained in the principles of lawfulness, fairness and transparency, purpose limitation, security, integrity and confidentiality. Clearly, the views of healthcare professionals and the public are evolving when contemplating the potential benefits for research and medical science of big data analytics in AI in harvesting health data.
The publication of the draft strategy policy comes in the wake of a general backlash against the controversial General Practice Data for Planning and Research (GPDPR) programme, purporting to transfer all GP records into a centralised database, a plan now expected to be postponed to 1 September 2021.The draft strategy has three key priorities:
- educate on the ways data may be used for health and care purposes, to foster innovation, and the importance of ensuring transparency to win trust from health and care users;
- establish new data sharing policies across the whole a health and care system; and
- support the new strategy with the appropriate legal, technical and governance framework.
The draft strategy also commits the DHSC to, where appropriate, act on the findings and recommendations of the Goldacre Review  into the use of data for research and analysis which is expected to conclude later on this year.
The final version of the strategy is expected to be published later in 2021. In the meantime, the government has launched a consultation of stakeholders.
WHAT DOES THE DRAFT POLICY COVER?
The new strategy proposes central improvements to the way the data collected by the NHS (and other care providers) in England is used. The paper is split into 7 chapters each tackling a separate way in which patient data may be used to benefit the health and social care system and ensure a high quality of care.
CHAPTER ONE - BRINGING PEOPLE CLOSER TO THEIR DATA
CHAPTER 2 – GIVING HEALTH AND CARE PROFESSIONALS THE DATA THEY NEED TO PROVIDE THE BEST POSSIBLE CARE
The first aim is to make patient data easily accessible to patients themselves. The policy outlines that a person accessing social or health care should have digital access to their health and care information, including test results, procedures and care plans and access to a system to manage appointments. More interestingly, the plans also include facilities for individuals to share additional data including sleep pattern, food and exercise with their care providers.
The policy also notes the importance of increased transparency about how the health and care system protects and uses the data provided – although this is not expanded upon within the policy itself.
The policy aims to bring patient data from across numerous sources (e.g. GP's systems, Emergency Departments, personal wearable devices) into one singular data store which can be accessed by any section of the health and care system – including the patient themselves.
This data provided would then be used, in line with the policy's wider aims, to improve patient care and also help forecast for future needs of the NHS.
The new policy aims to give staff quick and easy access to information about people under their care to support the decision making process. The recording of this data in a central location is aimed to save time and reduce the data collection burden for practitioners in taking a patient history every time a patient is seen. Health care practitioners are expected to have confidence, through the digitisation, in sharing data between points of care even when this involves sharing data across NHS trusts.
The policy also suggests a strengthening of the duty to share data for the purposes of individual care originally introduced under S251B of the Health and Social Care Act 2012. This new duty on health and care organisations will be to share anonymous data "across the health and social care system".
In addition, a new shared Care Records system will be in place by 2024. This system aim is to make it possible for staff that use different data systems or record their data in different ways to see an individual's personal history and information in one shared location.
CHAPTER 3 – SUPPORTING LOCAL AND NATIONAL DECISION MAKERS WITH DATA
This section envisages providing data around current service delivery and local population to ensure proper planning and management on a local authority and national level. The GPDPR programme is one arm of this policy, mentioned earlier and discussed in our separate article.
The aim of these measures is to allow decision makers to review and analyse the impact on health and social care going forward.
In addition, it is proposed that all source code created through the project will be open and reusable to all analysts.
However, some proposed use of the government's legislative powers to weaken the long trusted principle of doctor–patient confidentiality, is of concern when it states: "we will use secondary legislation in due course to enable the proportionate sharing of data including, where appropriate, personal information for the purposes of supporting the health and care system without breaching the common law duty of confidentiality".
CHAPTER 4 – IMPROVING DATA FOR ADULT SOCIAL CARE
Similar to Chapter 1 this means that people in adult social care should have access to their own data and will have the ability to share this data with people supporting them including family and friends. The data will be shared with care providers linking client level data from local authorities and health data.
The draft paper also proposes that local authorities and Jobcentre Plus should share data with adult social care services (and vice versa) to ensure that health, employment and access to community support is integrated.
CHAPTER 5 AND 7 - EMPOWERING RESEARCHERS / DEVELOPERS AND INNOVATORS
These two chapters handle the use of patient data to further scientific research and improve the level of care provided. The policy looks to promote open code, and will publish a digital playbook on how to make code available on an open source basis for health care organisations. The government wish to encourage AI innovation and collaboration with the wider tech sector.
CHAPTER 6 – HELPING COLLEAGUES DEVELOP THE RIGHT TECHNICAL INFRASTRUCTURE
This final section aims to modernise the IT structures that support collected data and publish outlines regarding how data will be stored, shared and sent between organisations. A new power for the Secretary of State for Health and Social Care will be introduced which will enable the Secretary of State to mandate data collection and storage standards.
Priority is also given to developing a long term plan to manage evolving cyber security threats. This is intended to include a set of recognised standards to be published and continued support to be provided for data architecture to be drill tested and national incident response plans to be regularly rehearsed.
WHAT ARE THE KEY DATA PROTECTION RISKS?
The draft paper emphasises that none of the proposed changes will remove the duties of organisations to meet the requirements of applicable data protection legislation. All uses of an individual’s data will need to be necessary, proportionate, transparent and subject to that individual’s rights to access, correction and information on use. The strategy promotes a new obligation to share anonymous data across the health system securely, including with commercial organisations, subject to new specific consistent standards applying to the compilation, storage and sharing of data. Such data sharing may however not always be anonymous data, it may also be pseudonymous data or even personal data. In such cases, what are the privacy implications with respect to transparency and security?
We are expecting the Health and Care Information Governance Panel to produce a set of standards for health and care providers in December 2021 as part of a wider framework.
In 2022, the first transparency statements will be issued by the DHSC which will set out how health and care data has been used across the sector. While this will be beneficial and aid overall transparency, it is concerning that the statement will be issued after the data has been processed.
It is concerning, however, that there is no mention within the draft policy paper of the existing National Data Opt-Out. As our article on the GPDPR highlights, confusion over different opt-outs has exacerbated existing concerns about the sharing by GPs of data with NHS Digital. It is key that patients must be informed and aware of the choices they have.
SECURITY OF DATA
Understandably there are concerns as to the security of the data while stored and processed as part of the digitisation. No specific details are included in the paper as to steps taken to manage the security risk. It does note that the NHS Digital Cyber Security Operations Centre provides local and national monitoring, and blocks 21 million items of threatening activity every month. Improvements have been made since the 2017 WannaCry global ransomware attack which affected NHS trusts although again these improvements are not detailed within the policy.
The paper envisages the facilitation of data sharing between separate arms of the health and social care system, and that easy data sharing will become the norm rather than the exception. However there are no details at to the practicality of this.
It is visualised that data collected from wearable devices is also collected and stored in this central system. It is unclear what the underlying agreements will be between the wearable technology firms and the central government system.
Significantly, the draft paper suggests that legislative changes will be made to NHS Digital's legal framework to:
- introduce a duty for it to have regard to the benefit to the health and social care system of sharing data that it holds when exercising its functions;
- clarify the purposes for which it can share data; and
- allow it to require data from private providers of healthcare (where directed to do so by the Secretary of State).
On 16 June 2021, the Government published a report by the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) containing a number of wide-ranging sectoral recommendations including in relation to clinical trials and digital health.
In particular, the report calls for a new regulatory framework for digital health "based on mandatory interoperability standards to support consumer confidence and NHS take-up of digital apps for disease prevention, portable electronic patient records (EPRs) and digitalisation of NHS systems". In relation to clinical trials, the report rejects the EU’s Clinical Trials Directive and the GDPR as mere obstacles preventing "data flows for life science health research" and "holding back the UK trials sector". It calls for the UK Clinical Trials framework to promote innovation, and be based on a "unified health research data structure". Logically, the report ends up advocating the replacement of the GDPR by a new UK framework for data protection. In particular, the GDPR is perceived as restricting the use of data for "worthwhile purposes" and could be replaced by a more self-regulatory framework for companies using data for innovation and public interest.
In many ways, some of the above proposals seem to take a regressive approach to data protection compliance and the GDPR which is globally now recognised as a gold standard and helps data subjects keep control of their personal data at all times. It also seems to demonstrate an inclination towards a more sectoral and self-regulatory approach to data which is currently closer to the US privacy framework.
In this context, the Data Saves Lives draft policy seems to be consistent with the proposed objectives and regulatory changes advocated by the TIGRR report. This is all the more a matter of concern that the UK has just been granted two adequacy decisions by the EU Commission on the 28 June 2021 based on the UK’s data protection regime being the same as when it exited the EU. The question therefore is how far both these policy papers can be implemented in practice without jeopardising UK adequacy but perhaps even more importantly depriving the UK from the gold privacy standard of the GDPR with no clear innovative new legal data protection framework in sight. It also bears the thought that even though the National Data Strategy initiated some of the themes around easy data sharing for public interest covered in both policies, it equally recognises that a responsible use of data means using data lawfully, securely, fairly, ethically, while remaining accountable. All principles that the GDPR embodies.
The NHS and DHSC carry the burden of a two decade-long legacy of failed IT programmes including its “expensive and largely unsuccessful”  previous attempt, between 2002 and 2011, at introducing an integrated IT system with patient records available electronically.
With the NHS's original 2018 target for a paperless records system having been missed and moved back by six years it remains to be seen whether the admirable aims of the draft paper will be achievable in practice.
The pandemic has accelerated the digitisation of healthcare and has shown that when done correctly datasets can be vital in ensuring good community health. Continuing to make NHS data available for research, securely and appropriately, is vital to empower scientific advances that will transform people's lives.
The Data Saves Lives policy paper provides a mere outline of the direction that the UK government is heading to rather than providing detailed provision on the data protection issues at hand. Moreover, it fails to establish any reasonable new principles and concepts governing a "proportionate sharing of the data for the purpose of supporting the health and care system". Surely introducing a new duty to share data across health and care should have been presented with a proposed articulated regulatory framework including detailed safeguards and regulatory oversight. Equally, replacing the authority of the GDPR, at times, by the authority of Secretary of State to access data is no better panacea.