Evidence submitted by Andrew Hawker (EPR
The Care Record Guarantee (May 2006) lists worthy
aspirations, but too many of them are qualified by terms such
as normally and if possible. It assumes that NPfIT is being implemented
perfectly and seamlessly, which is not the case. The Guarantee
is not underpinned by credible procedures for control or redress.
The plans for the electronic patient record
reveal some contradictions in government policy. On the one hand,
there is a strong emphasis on patient choice. Yet the demeanour
of the DoH towards patients who would prefer not to be included
in the CRS is one of suppressed hostility.
The DoH is also expanding the use of outside
contractors in many aspects of health care. But its policies on
information governance do not reflect this.
The DoH has recently adopted a very centralised,
top-down approach to system implementation. This makes good sense
for the procurement of core systems, in terms of economies and
standards. But it does not follow that there has to be anything
more than a unique patient identifier at the heart of the system.
Nor does the centre need to operate (as opposed to monitor) more
than a few minimal but strict controls once the system is in operation.
At the very least, any implementation of the
CRS should be deferred until the IT framework of which it is a
part has been installed completely, and has been thoroughly tested
for privacy protection (eg by tiger teams).
In the numerous guidance documents issued by
the DoH, more attention should be given to questions of the copying
and retention of data within linked electronic systems. The documents
themselves should comprise fewer generalisations, and more concrete
1. This submission is made as an NHS patient.
I have no connection with any medical or commercial body involved
in the NHS.
2. I feel like a passenger boarding a plane.
On board are technicians arguing about how the plane's controls
should be wired together, and who should do it. The plane has
not had many test flights, and some of those have crashed. Meanwhile,
flight attendants are handing out brochures saying how safe it
3. I have read through the Care Record Guarantee,
and I have compared it with some other guarantees which cover
appliances in our house. If these were written in the style of
the CRG, they would assure me that the appliances were made with
great care and that everyone had the best possible intentions.
Actually, real guarantees are mainly concerned with spelling out
exactly what remedies are available to me. They specify how
I should make a claim, and any particular circumstances which
might invalidate my claim.
4. From the CRG I learn that some key decisions
may be made on my behalf without consulting me (p 5) and that
there will be a complaints procedure via the PALS (p 6). My impression
is that the PALS typically lacks the kind of IT expertise needed
to investigate situations covered by the CRG. Caldicott Guardians
were and are an excellent idea, but these people too need time,
technical skills, and support from computer forensic services
when and wherever they need them. They are only mentioned once
in the entire document (p 5).
5. So, the reader is left with no clear
idea about how compliance with the principles in the CRG is to
be enforced. This becomes even more worrying when one considers
the contracting out of medical treatment. How, exactly, will the
compliance of outside contractors be checked? Will they be permitted
to transfer patient records onto their own systems? If so, how
long will they be permitted to retain them?
6. If, in the light of my concerns about
the CRS, I wish to withdraw consent for the inclusion of my record,
the DoH assumes that it must be because I am concerned and distressed
(DoH standard letter). This is a strange choice of language. It
seems intended to imply that I am a bit over-emotional. The DoH
is apparently unable to accept that patients may simply lack faith
in the assurances it is giving.
7. Other parts of the CRG imply considerable
complication and bureaucracy. I can request a list of everyone
who has accessed my records (p 7) and eventually check my own
records on-line (p 9). I currently use on-line banking, and access
my accounts once or twice a week. The banks I deal with have elaborate
access controls, based on reference number, a check number, and
key names and dates which can be requested at random. Such ID
checks are expensive to set up and maintain, but make sense for
a bank since it is much cheaper than having me take up the time
of staff in the local branch. In the case of the NHS, most patients
will only to want to pursue self-checking very infrequently, if
at all. The proposed Home Office ID card will, as with many other
on-line situations, be of no practical use. This whole area needs
to be re-thought.
8. A much simpler approach is of course
to make sure that each patient has a unique ID, but otherwise
to keep patient data in as local and circumscribed a way as possible.
The supposed benefits of the CRS owe more to clichés in
the minds of politicians than to medical priorities. During my
own encounters with the NHS I have often been asked to repeat
details of my history, and occasionally to have tests re-done.
Doctors are sometimes sceptical about what is already on the record,
and this seems to me a good thing. The scenario of the unconscious
patient in casualty with a severe allergy can be targeted by other
technologies, at a much lower cost than a universal CRS.
9. If the DoH remains persuaded that the
CRS is needed, then it should be phasing it in only when it can
prove (rather than merely claim) that it is operating "in
line with internationally approved information security standards"
(CRG p 1). This proof should be provided by inviting sceptical
parties (ie not the normal run of government consultants) to test
the system. For example, experts in this field can be found at
Cambridge University. Similar independent validation should be
carried out of the resources and facilities available to the internal
audit teams charged with overseeing privacy protection.
10. At the same time, the DoH should declare
a moratorium on issuing prescriptive guides about good information
governance. It is unrealistic to expect medical staff to wade
through these, let alone digest them: (the good practice guidelines
for GPs, for example, run to more than 70 pages). Instead, the
DoH should be constantly inviting clinicians and others to submit
examples of individual situations they believe to be problematic.
These should be analysed and fed back into the design and monitoring
of systems. And in the longer term, any advice could be much more
interesting and effective if more of it were example-based.
11 In the process of getting the new IT
infrastructure up and running, the DoH is overlooking the quite
stupendous scale of the data now being collected together, and
the many different ways in which it is being stored. For example,
it is unavoidably duplicated each time a back-up copy is taken
or an email is sent and received. Hitherto, NHS policies on document
retention have focussed on minimum times for retention. This has
been because, in most instances, only one copy of the record has
existed. In the new electronic era, these policies need to be
revised to identify one root (authoritative) version of each element
of a record, which would be subject to a minimum retention time.
All other versions or copies would be subject to maximum retention
times. In some cases, eg for outside contractors carrying out
single operations or procedures, these retention times should
be extremely short.
12 March 2007