CORRECTED TRANSCRIPT OF ORAL EVIDENCE To be published as HC 422-i

House of COMMONS

MINUTES OF EVIDENCE

TAKEN BEFORE

HEALTH COMMITTEE

 

 

THE ELECTRONIC PATIENT RECORD

 

 

Thursday 26 April 2007

MR RICHARD GRANGER, MR HARRY CAYTON and DR GILLIAN BRAUNOLD

DR PAUL CUNDY, DR MARTYN THOMAS and MR ANDREW HAWKER

Evidence heard in Public Questions 1 - 160

 

 

USE OF THE TRANSCRIPT

1.

This is a corrected transcript of evidence taken in public and reported to the House. This transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.

2.

The transcript is an approved formal record of these proceedings. It will be printed in due course.

 

 


Oral Evidence

Taken before the Health Committee

on Thursday 26 April 2007

Members present

Mr Kevin Barron, in the Chair

Charlotte Atkins

Jim Dowd

Sandra Gidley

Mr Stewart Jackson

Dr Doug Naysmith

Dr Richard Taylor

________________

Witnesses: Mr Richard Granger, Director General of IT for the NHS and Mr Harry Cayton, National Director for Patients and the Public, Department of Health; and Dr Gillian Braunold, National Clinical Lead for GPs, Connecting for Health, gave evidence.

Q1 Chairman: Good morning. Could I first apologise for the few minutes' lateness of the Committee. It looks a bit thin around this side of the table but you are probably aware we have a Mental Health Bill in standing committee at the moment and members of this Committee have been heavily involved in it, in different forms, for the last eight years now. We have got some members up there who are currently doing standing committee work, but I suspect we will be joined at some stage this morning by one or two members. For the sake of the record, would you introduce yourselves and the positions you hold. Could I start with you, Dr Braunold?

Dr Braunold: I am Gillian Braunold. I am a GP in Kilburn, and I hold the position of GP National Clinical Lead.

Mr Granger: I am Richard Granger. I run national IT systems for the NHS in England.

Mr Cayton: I am Harry Cayton, I was the Chair of the Care Record Development Board and I am Chair of the Ministerial Taskforce on the Summary Care Record.

Q2 Chairman: Welcome back again. I think I said last time you were sat there you were better attended than some members of the Committee and it is absolutely the case this morning! I understand you want to make a short statement to us before we start this morning's evidence session.

Mr Granger: I want to cover three things: firstly, the general progress we are making; secondly, to give you a snapshot of the typical transaction volumes that benefit patients every day in the NHS in England today; and, thirdly, I want to finish with a comment on the general environment around the introduction of new technology into health care. When the Government announced its investment programme in IT in the NHS in England in 2002 there was already a considerable quantity of computers in use in the NHS, and almost all of them were characterised by being nothing more than glorified electronic filing cabinets. If you wanted to move any information between buildings you typically had to move it using word of mouth or paper; there was very, very little movement of information between buildings. Of course patients generally do not just get cared for in one place. There are a number of people who would say that there have been enormous successes in the 1990s in investment in IT in the NHS. I would say, having come from a background of having worked in social security computerisation, the progress that had been made was lamentable - and yet at very significant cost of about a billion pounds a year at 2002. The revisionists are busy at work now trying to make out the progress that had been achieved before 2002 was extremely good and has somehow been retarded by the introduction of national systems; but the evidence does not substantiate that viewpoint. Where you have 33,000 or so GPs in nearly 9,000 locations, and you have none of them able to move patient records electronically between sites and yet over three million patients a year change the GP they are registered with, I do not see how that mess could be described as a success; and yet some eminent GP IT advisers have described it as a success. One of the other things I found extremely quaint when I started delivering this programme was most of the people working in the delivery of clinical systems in the NHS have what would generally be considered to be serious conflicts of interest. They are the owners of software companies, have a financial interest in them, or advise them whilst also undertaking clinical practice. It has the benefit of them being closely associated with the solutions they deliver, and the disbenefits of them having certain conflicts they have to manage. We introduced a process as part of the procurement which was Civil Service standard stuff that we required people to declare these conflicts of interest, and we would not allow them to work on procurement activities if they had involvement with any of the potential bidders. That caused some distress for some of the so-called experts in this domain. It is what has been described by many as "a bit of an alligators' playground". In the last four years we have doubled the availability of network connectivity to the NHS. We now have 19,000 places connected up, so we have one of the biggest virtual private networks on the planet and people take that for granted. In some locations it does not work as quickly as the end users would like - usually because their equipment is badly configured when we go to investigate. We are now computerising, to deliver prescriptions safely, 200 GP practices a week with the relevant software. We typically move 120,000 prescriptions electronically now on any given day. About every ten seconds a patient gets a booking completed electronically, not at the target we would like it to be at but, nevertheless, a significant volume. I think you heard in your audiology hearing how Choose and Book is being used regularly now to enable accelerated patient flows, and is also introducing a greater degree of transparency about where the bottlenecks are in the system. We have about 50,000 people go onto our national demographic database every day and access two million patient records. That is something that did not exist three years ago; something that most major organisations and most government departments in the UK have had since the early 1990s - an online customer index so that you can send letters to the right place. In fact we see a reduction, as a consequence of that, from about three-quarters of a million patients having a letter sent to the wrong place down to probably around a couple of hundred thousand. The hospitals that are hooked up to this system say the number of letters returned, having been sent to the wrong place, has come down massively, which is a significant concern around confidentiality with a paper-based set of letters going out to patients, and inefficiency where an appointment gets sent out to them, for example, and they do not even get notification of it. We have got an e-mail service that has: a quarter of a million users; sends over a million messages a day; is encrypted; and over a third of those contain patient identifiable information. We have a system which has very efficiently paid GPs money under a "pay for quality mechanism" under their new contact. There were a few problems for a couple of days at the beginning of the new financial year as they stampeded into submitting their returns to get their money quickly. However, that system (apart from a couple of days) has worked very well since it was introduced. We have a major secondary uses database working as well. In closing I just want to reflect on how difficult it is to introduce new technology into health, because it is personal for all of us; we care about it; and a lot of people have anxieties. In the North-West we are about to introduce the Summary Care Record which will provide information about patients outside of the GP setting in which the best information is currently held. Around 0.2% of the public, where we have sent information leaflets to their homes addressed to them in person, have concerns about this. You might not think that is the case if you spend a lot of time in this part of London, but that is the kind of data that comes from other areas of the UK, and the North-West where we are bringing this system in. However, there are a lot of people very concerned. In 1834 The Times said, regarding a significant piece of medical technology, that, "it will never come into general use notwithstanding its value. It is extremely doubtful because its beneficial application requires much time and gives a good bit of trouble to both the patient and the practitioner; and because its hue and character are foreign and opposed to all our habits and associations. It is just not going to get used". That was The Times writing about an invention from 1816 which I do not think we generally consider to be adverse to medical practice now. They were writing about the stethoscope. I think the adoption of IT systems that move information between care settings and serve patients as they move around the NHS is in a similar position, of a great deal of anxiety because of the introduction of the new technology. People will look back on this in a couple of hundred years' time and wonder what all the fuss was about.

Q3 Chairman: Thank you for that. Many of the issues that you have highlighted, Mr Granger, we will obviously be pursuing in the course of this investigation, this being the first evidence session of the investigation. Could I welcome you and your colleagues as well. Going back 12 months or more now, most of the debate in the media (without the detailed things you have pointed out there) was people thought what was going to happen was that their patient record (and we assume by that, and I assume by that, it was one patient record) was going to go on the national spine and be accessible for people who wanted to know about my medical history. Actually we have got both a separate national and local electronic patient record now in front of us. Does this represent a failed compromise between the two different approaches? After all the talk about having one national record that was going to be all-singing and all-dancing for us, why have we ended up with two? Why is that?

Mr Granger: That is not a change of direction; that is the details of plans which were documented in Spring 2002 in a document published by the NHS Information Authority, which I am sure one of your advisers is familiar with, which was called the NCRS, National Care Record Service. That document set out very clearly that there needed to be more widely accessible summary information and detailed local information; and the reasons for that relate to the ability of computer equipment to move large quantities of information around, and concerns about the need or absence of need for detailed information to be available outside of an individual care setting. We are trying to strike a balance between having nothing available everywhere, and everything available everywhere. Over the past three years my colleagues have undertaken a very extensive consultation exercise with clinicians and patients to strike what we think is the right balance there and to introduce that through a staged early adoption process. The delays we have had in doing that are a mixture of software complexity and an extended consultation period about how to do that.

Q4 Chairman: Presumably the bulk of mine will be on the Detailed Care Record, and that will be what my GP and anybody in the South Yorkshire locality where I live most of the time will have. What added value will the national Summary Care Record add?

Mr Granger: I think it would have specific value to you as you shuttle up and down the country between South Yorkshire and London. For example, your key allergies and current medication will be available if you need treating down south during the week or, conversely, when you are up in Yorkshire at the weekend.

Q5 Chairman: What would be the difference then?

Mr Granger: At the moment that information is not available.

Q6 Chairman: It is not available down here, yes, I accept that. What will be the difference in the record? That record can follow me from South Yorkshire to London and back again; one record can follow from South Yorkshire to London; but I am trying to tease out of you, what is the added value of having a national Summary Care Record in addition to the Detailed Care Record which will be about me and my potential needs?

Mr Granger: Quite a lot of the record about you will not be coded in a manner that would be safe for other people to use. It will be meaningful to the people who collected it, and it may be voluminous. It may not be particularly relevant to the care that you need on a spontaneous basis when you are away from home.

Dr Braunold: I think it may help to try and differentiate between the Summary Care Record and the Detailed Care Record, because they have different business functions and are intended to serve different purposes. The Summary Care Record is intended to be a first cut of information to help clinicians who have no access to any other records in the first instance who are unfamiliar with the patient, to help them to get started so they are not working in an absence of information. What we know is the first things that will go up will be the medications of the patients, the allergies and then it will be joined by significant medical history, but in a summarised way. We have left the content of the Summary Care Record of what will be uploaded in the first instance from the general practitioner to be customisable at a local level. The reason we have done that is because there is a different timescale in which the Detailed Care Record is being delivered around the country; and it is not coming in at the same time. There is the potential for the Summary Care Record to actually contain information that will serve local business requirements while they are waiting for the Detailed Care Record. If I take the example of a diabetic care pathway, one of our early adopter PCTs in the country is planning to use the Summary Care Record to help the people who are looking after patients with diabetes in the community, as well as in hospital and general practice; and they want to ensure that the content of the Summary Care Record will help to manage that care, and will have in it the recent results and the recent visits to the various members of the team. That will be enabled if that data is sent up from the general practitioner record. What is very important is that people in the locality where it is being used understand the use to which it is being put and the data set that is going in. My personal belief is that the amount of information in the Summary Care Record will start growing bigger and then go smaller again as the Detailed Care Records become the actual way that in the locality people start to share information; but, because this is a system in evolution, we have to start somewhere. We have started with the Summary Care Record in areas where there is not any other data-sharing quite often because those are the Primary Care Trusts that have said, "Yes, please, we want to be part of the early adopters process for the Summary Care Record". They are very keen and eager to do some data-sharing in their areas. It enables us to test very slowly some of the concerns people have had around confidentiality and access controls et cetera, which I am sure we will be discussing, and test them slowly and incrementally, as well as what information was most helpful.

Q7 Chairman: It has been put to us that the exact content of Summary Care Records is not yet known. Is this an evolving situation?

Dr Braunold: There are some things that are absolute. I can very firmly take people through what we are doing with the Summary Care Record in its first iteration. The first thing that happens is a leaflet goes out to the population in the area; and then eight weeks later there is initiation of the repeat prescriptions and the acute prescriptions which are put up as well as the allergies and adverse reactions. That is followed by significant medical history, and we are starting with the core data set the GP has put into their Summary, and they are discussing that with their patients and asking them if they are comfortable with that data set going up in addition to the drugs and allergies. That is in discussion with the patient about what else should join the drugs and allergies. We have not been definitive about what should go in that part, as I said before, to feed the pathways; but also because there has not been guidance previously as to what is in an ideal Summary. Harry will be able to talk about the recommendations from the Ministerial Taskforce about advice as to what should be in an ideal Summary.

Mr Cayton: Perhaps I could say a bit about this, and perhaps I could go back, first, and just think about some of the benefits as I see them from a patient perspective. You are right in a way to question this concept of people travelling around the country. Of course, people do travel around the country a great deal more than they did, but that is not really, I think, the most important reason why this is important. I spent a day recently shadowing an emergency care practitioner with the London Ambulance Service and we spent most of our time visiting frail, older people whose carers or relatives had rung up with that most common of conditions of frail, elderly people which is "had a funny turn". "Had a funny turn" is not a very helpful diagnosis for a paramedic or an emergency care practitioner. Seeing what they have to do in practice, the complications of identifying which medicines a person is on, especially if that person is confused or not very well at all; trying to identify what conditions they have; the huge benefit to them of having access just to this very small data set initially of medications, allergies and adverse reactions; plus, of course, the administrative benefit of having a computerised system that they can use instead of very large amounts of filling-in of paper forms, with all the introduction of errors that often brings; I think there are some real benefits. One of the myths now is that we still have a profoundly long-term personal relationship with an individual GP. Many of us do up to a point, but GP practices no longer provide services in the evening and at weekends; so everyone who uses a GP service is inevitably using GPs who do not know them very well if they are inconveniently ill out of the hours in which GP offices are open. It is not just the situation around people who are travelling, or people who are unconscious in A&E; it is a situation for a vast swathe of frail, older people, and for every single one of us who might happen to be ill at an evening or weekend. In the Taskforce, to go back to the issue of what is initially in the Summary, we had a very extensive discussion. We had on the Taskforce representatives of the BMA, RCN, the College of Emergency Medicine, the Terrence Higgins Trust, nursing and so on; so we had a wide range of interests. We felt that the most appropriate way to go forward was cautiously and sensibly. We recognise that there are concerns; we recognise that there are doubts; and there seems to be quite a clear consensus, certainly around clinical people, that this small data set that Dr Braunold has described is a significantly useful data set in clinical terms and does not raise as many questions as might be raised by more sensitive information such as diagnoses or medical history. This is a step forward as we build a consensus around what works and what does not work.

Q8 Chairman: That could be interpreted as being a compromise because the ideal is a national patient record, and what we have got now is that there are going to be two national patient records. It sounds to me as if this is as far as you can get. Was this a political compromise in terms of what you wanted in the first place and what we have at this stage?

Mr Cayton: I do not know that you can use the word "political".

Q9 Chairman: It is a compromise then?

Mr Cayton: You might say it is a "professional agreement" around what is acceptable to conflicting interests within the system. Interestingly, as the patient or independent person on this, many of the conflicts are between clinicians; they are not between clinicians and patients on these issues; they are actually between different groups of clinicians who have different conceptions of their role within the Health Service; different conceptions of the balance of power within the Health Service; and who are trying to protect the interests of certain clinical groups, sometimes I have to say, under the disguise of protecting the interests of patients.

Chairman: I have personal experience of the same group of medical people in my constituency who have different attitudes towards some of these matters.

Q10 Dr Taylor: I want to move on to the Detailed Care Record. I can see how feasible the Summary Care Record is; I just cannot see how feasible the Detailed Care Record is. We gather it is going to be made up of different records from different hospital departments, from the GPs. The only information we have got in the Department of Health's submission about Detailed Care Records is under paragraph 29 where it says: "The Detailed Care Record component of the NHS CRS will support the care process and will typically contain: the name; address; date of birth; NHS number; past and current health conditions; allergies; assessment et cetera; care plans et cetera; treatments, including operations and medication; care reviews; and discharge information". I am very, very concerned about the amount of information that is in hospital notes, and please do not think I am denigrating GPs, because obviously they have got the shorthand type notes worked out to a high degree, and it is going to be relatively easy to computerise GP notes. It is going to be extremely difficult to computerise hospital notes, which are going to be needed in the Detailed Care Records. I would like some ideas, some guidance on how you are going to approach this and make this even possible. I have got lots of specific points to pick up.

Mr Granger: If I could start on this and if Gillian could follow. I think there are two problems. The first is that the computer systems that have existed before this programme have typically only served doctors in one care setting. It has either been a hospital system or a GP system. The market was very firmly orientated in that manner. We have the challenge of getting suppliers of GP systems, and give you for example EMIS and TPP as two suppliers based in Leeds, both of whom are pushing upwards into community and ambulatory care settings with increasingly rich products. At the same time as you see the supplier for the South and London in the acute sector, Cerner, who run the systems that support a third of the hospitals in the US, you see them pushing downwards into what they would term "physician offices", into GP practices. That was a problem that existed before we started this programme, and it is still work in progress. The second problem is that, whilst GPs use Read codes and localised variations of them (and the variations are one of the greatest problems to information liquidity between practices), in secondary care a lot of the information is only coded up after the actual interaction between the clinician and patient. Our challenge is to introduce systems where people are coding information at the point of care; and some of the codification of those systems will be better supported by something we have been working on for some time, which is a proper international standards body called SNOMED CT, which is a much more detailed structured nomenclature to support secondary care, because obviously Read codes are inadequate in that setting. We have had to take the lead in launching an international body to do that and wresting that from the College of American Pathologists into an international body, and that will be announced later today. It is going to be a long and difficult process to get the complexities of secondary care to code information in a way that it can be used outside of the location in which it was originally created. We are going through some of those difficulties at the moment in the south of England with the implementation of the Cerner system, which is requiring much more data to be collected at the point of care, rather than it being coded up subsequently; which is introducing problems of efficiency in the way the NHS is currently organised in terms of rapid clerking of patients, followed by retrospective tidying up of records and production of billing information and so on. It is a challenge at the moment but we are working through that.

Dr Braunold: I totally understand the question, and I suppose it is important to have a goal. I will try and describe the picture very quickly and then look at the steps we need to go through to get there. As a GP I get something like 125 letters a week from my colleagues in secondary care about my patients and those are structured usually most about the history of that patient - that has always been there; and occasionally there may be some recent results and the medication that has been used; and then there may occasionally be a sentence asking me to do something. I have to read that letter very carefully in case there is an action and I need to file it in my records. In order for me to do that, that has come from a hospital usually dictated by a consultant such as yourself, and it is then typed up by the secretary onto a computer; it is then printed out; and it is then sent by snail mail to me; and I then have somebody who receives it, scans it, then puts it into my computer and somebody codes it back into the computer and checks there are no results or anything I need to do; and then, finally, I check for any actions. For me it is not only a saving of all the scanning and the obvious things that an electronic message could do, but I want to save some of the coding issues so that instead of me receiving stuff for information, which we should share in a Detailed Care Record, that we would change the way we work; that we would only need to send each other actions, instead of sending each other information that we share on a Detailed Care Record. That for me is the Holy Grail of what we are about. It is about really changing the effectiveness and the efficiency of how we work. To get there is not going to be quick. It has taken general practitioners a decade or more to learn how to code carefully and accurately. We have worked through a data quality exercise that we are doing at the moment, on actually saying only GPs who pass the data quality accreditation can submit to the spine, because we want data that is fit for sharing. There is an enormous amount of work to do with secondary care. I understand your concerns. One of the things which my colleagues as the National Clinical Leads for hospital doctors are very keen to do is to really look at incremental ways of delivery of product. This is not a shiny spaceship going to land on secondary care where suddenly everybody has got to do this. I went to visit the Homerton Hospital where Simon Eccles one of my colleagues is based and I said, "I've heard the Homerton is great and it's running this great system". I came from general practice and I am used to flying with my machine and, I have to say, from a general practitioner's perspective I was very disappointed. The reason I was disappointed is because I am used to a very functionally rich system. What gets secondary care colleagues excited is a particular product delivery of particular issues. They have got Order Comms (Order Communications). Order Comms means if they send off 15 blood results they can see at a glance if 12 of them have come back, click on it and see them. They have got bar coding so they know where the results are on the system and they can track them, and that is great. It is the equivalent for me of where we were when we got repeat prescribing. We knew what to do with prescriptions and waves of GPs started to use computers because there was a business benefit to them. I see the secondary care delivery of products as Cerner and Lorenzo and all the others going through their various iterations delivering more and more functionality, year by year. People start saying, "What's coming next? That was quite good". The challenge for us really is to make sure that we do not make that challenge too painful; because you cannot ever get gain without pain. You cannot take on a new laptop without having to learn something. It is always painful gaining new functionality. We have to make sure that we do not challenge the NHS too greatly in the delivery of these extra functionalities. I hope that explains what the Detailed Care Record is for, because I really think it is worth having and it is a challenge worth taking up; but it is not going to be speedy.

Q11 Dr Taylor: I am not saying it is not worth having, I am just wondering if it is a possible dream in the long term. I can quite see how it is easy to put on X-rays; it is easy to put on path results; it is easy to put codes and prescriptions. There is an awful lot of importance in narrative text in hospital notes. How are you going to cope with that? I am thinking particularly that the complaints we get as MPs largely are associated with lack of communication between staff and patients. The basic defence you have got as a doctor is that you have recorded what you have said to the patient or the family. How is that sort of narrative text going to be in the Detailed Care Record; or are we still going to have a paper record in the background? The idea is to get rid of paper altogether.

Mr Granger: One of the feedbacks we had from the new system we put in in Winchester was that the nurses were delighted with the noting functionality. We are looking at trying to increase the quantity of information which is codified so it can be used safely in multiple locations, even within an individual institution; and we are providing a facility which allows people to put the notes in free text format onto a computer system, so that they carry forward as well. I recognise a lot of people like to use free text because it can be easier for them than codifying things but it has a systemic inefficiency for the NHS unless they are the only person caring for that patient.

Q12 Dr Taylor: But you cannot codify a unique conversation between a doctor and a relative?

Mr Granger: No, but one of the things we generally do not codify, for example, is causation. We will codify that somebody has broken various bones but we will not codify the fact that is because they fell over; so we discharge them from hospital and they trip on the carpet and come back. What we need to get to is the root cause of lots of people falling over as they get older and their housing conditions. You start to collect coded information about a fall which does exist in SNOMED; you start to get some very useful information about the root cause of the admission; whereas just typing that in free text, "Had conversation with patient; she told me she fell over again", is not very helpful.

Q13 Dr Taylor: You are not taking my point. What I am really bothered about is the conversation between staff and a family, explaining what is going on with the patient.

Dr Braunold: I think that is absolutely right. For me that still has to be recorded. There is no reason why it cannot be recorded on the computer in free text format.

Q14 Dr Taylor: How is that actually done? The doctor writes down in the notes in longhand?

Dr Braunold: That will be subject to the local business processes in that Trust. It takes a while for people to move forward. When we went, for instance, to the States (because I went to have a look at how it was working there) quite often the consultants were dictating, and other people were entering the data; and they may have written in long form and somebody would then take it and put in the computer; whereas in other places people are putting it directly into the computer. What some of the software is able to do, however, is as you type in it is able to suggest codes for part of the text you are typing in so that you are not losing the opportunity to have the coding happen simultaneously. It will offer you a code for part of that. Some of the pain we have gone through in general practice is that, frankly, if I look at some of my colleagues' records the most frequently used code in general practices is "had a chat to patient", and then everything is underneath. The move to a richer coding set came with the input of the quality and outcome framework, as people started to realise if they did not code peak flow measurement properly as a code, rather than somewhere in that text as they had done previously, they were not going to get acknowledged for the work they were doing in looking after people with asthma properly. It is around getting people to understand payment by results and your actual peer audit are things that will encourage people to code properly; but that should not take away the text that we have to still write.

Q15 Dr Taylor: Has there been any attempt to get agreement from hospital doctors on what goes in the Detailed Care Record?

Mr Granger: There has been a process that has been going on since the early 1990s around that. I am sure you are more familiar with that than I am in fact. The specifications we have produced software against have their most recent origin in work that was done between 1998 and 2002 - electronic record pilots; and in communities around England that were in the process of buying local systems which were generally unaffordable when they got through their procurement process in the South-West, the West Midlands, for example, the Shires procurement and Blackbird procurement. Those were specifications that had been produced by local clinicians, lots of hospital doctor input; and that is then iterated and refined continuously around the country as we take early versions of systems and refine them. It is an uncomfortable process because the requirement changes with time, as people become familiar with systems; so to start with people may want lots of free text input and they may want to do that via a Dictaphone or manuscript, then they want to move to typing some of it. One of the challenges that exists in the hospital sector is that it is only now, in fact a couple of months ago, that the first computer that might actually be really useful for a doctor on a ward round was launched. It is a device which has been developed between the NHS and Intel. Before that you had, at best, a laptop, which is a very nice repository for clinically-acquired infections; or you had a computer on wheels, known as a "cow" generally, dragged around a ward with batteries or wires hanging out the back of it - completely useless for somebody moving through a hospital on a ward round. The hardware is only now catching up with the way that hospital doctors work. We have had the same challenge with rolling out PACS (Picture Archiving and Communications Systems). It is very easy to put a light box in lots of places; they are not very expensive; you move to putting in computers and you need very high resolution screens that are 10,000-15,000; they need a power supply; they are heavy; they need hanging on walls in theatres; people who might have had screens on three sides with their light boxes and now you have got a problem putting the IT in with the same information availability.

Q16 Dr Taylor: So when is this marvellous equipment going to be available? Is it something you speak into and it automatically gets it on?

Mr Granger: We have that running already. Voice recognition is being used.

Q17 Dr Taylor: Is it now reliable?

Mr Granger: It is getting reliable. It is being used in several hospitals for reporting in picture archiving. These are emerging technologies. They have been around for a long time but they have generally been designed to work in office settings. Most computers that work in hospitals at the moment are office equipment; they are not hospital equipment. Their portability; their cleanability; the ability to make them hygienic; has been very poor. We have been developing the specifications for washable keyboards, wipeable computers that do not have lots of ports that are uncleanable and so on. The first batch of that equipment was trialled in Salford over the past few months and will come onto the market over the next few months.

Q18 Dr Taylor: Will that allow, for example, the detail of the houseman's history, the detail of the houseman's examination to be recorded on the system?

Mr Granger: Yes. Those tablets that are the size of a notebook, they will do handwriting recognition, voice recording or allow typing either by touching or tapping; and they will allow images to be displayed with a reasonable degree of resolution as well.

Q19 Dr Taylor: Is this going to delay the system further?

Mr Granger: No, but this is something we have to do. From 2002 in the strategy to introduce these systems we found a number of barriers. One barrier was there was not nationally available broadband. We have had Telco (Telecommunications) companies digging roads up and putting cable down in the South-West, for example. Another barrier is the computer equipment that has traditionally been used in clinical settings, certainly in acute settings, is not optimal, and we have had to work with industry to develop that. This is the NHS doing things in a world-leading setting and it has been difficult and it is time-consuming.

Q20 Dr Taylor: Is the main reason for getting the Summary Care Record out first really because it is much easier and practical?

Mr Granger: I think developing a couple of thousand work year software products to a schedule we stood up 18 months ago, that we hit the dates on, has not been easy. I think it delivers significant value out of our investment in a security framework, a central demographic database, a network, and now 102 different end-user systems that are compatible with that central infrastructure. It was always part of the plan. The sequencing of this programme that was stood up in 2002 and what we have now is different. We did not have picture archiving in 2002 at all and we will complete its roll-out during the current financial year.

Q21 Dr Taylor: Do you think you really can answer a GP who has written to us saying the Detailed Care Record can never provide the level of detailed data sharing which would be necessary for shared care?

Dr Braunold: I find that one difficult, because shared care we do at the moment as best we can; so I do not really know what standard that GP is talking about. Improved information will improve our care. I know how often I would like to have information, or it delays optimum treatment of a patient because I am waiting for a letter to come or information to come and I have to bring the patient back. Availability of information at the touch of a button will help improve care for all of those GPs as well as my hospital colleagues, so I find that one difficult.

Q22 Dr Taylor: I suspect he is worried about loss of the paper system which, if you have got time to use it, does give you everything you need.

Dr Braunold: I was talking to what I would call a "Luddite GP" the other day who said he mourns the loss of discharge letters - because they are getting electronic discharge letters, that I would give my eye or teeth for, in his area of Gloucestershire - because he is used to highlighting on it and getting people to code it; and now because he is getting it electronically quicker than waiting three weeks for a letter, he is getting it in two or three minutes, he has actually lost the business process. That is the challenge for us about learning to work differently when we have got better conditions.

Q23 Dr Taylor: Another concern raised to us is from groups who represent patients with long-term complicated conditions, because they are longing for the Detailed Care Record to be out quickly. What can we say to them?

Dr Braunold: That is exactly what we are doing in one of my areas about the Summary Care Records. Because it is going to take a while, one of the real, real benefits that I have not discussed about the Summary Care Record is the patient's record that they see from Heathspace; and that is something that can be put in (all of the information that will help with those pathways) straight away to support those patients and help them wherever they go, because we can put that information in. The patient will have access through the internet, through their own access controls, and they can share it where they wish under their own control.

Q24 Dr Taylor: Why should we not be slowly developing the Summary Care Record to become a Detailed Care Record?

Dr Braunold: Because we need to have quality information that is far more than a general practitioner-originated record. We need to start having coded information from wider places than GPs. GPs only look after patients 36 hours a week. We need to join people up. Frankly, I know the frustration of my colleagues in nursing who cannot access my records.

Q25 Dr Taylor: You are implying there is going to be no hospital information on the Summary Care Record?

Dr Braunold: There will be, but that is joining in 2008 onwards. That will start to be messages around discharge, and messages around the outpatient letters; but it will not be the richness of what you were describing - a conversation with a patient you put in your internal system which you would not necessarily tell me about. I do not want to know every sodium and potassium in the intensive care unit; it is totally inappropriate to be available to me routinely.

Q26 Dr Taylor: It has got to be recorded somewhere?

Dr Braunold: It must be in the hospital system.

Mr Cayton: Richard, you are putting your finger precisely on the point that the Chairman raised earlier, that there are conflicting interests and conflicting views about the best way forward. What we are increasingly trying to create is a system that has some local flexibilities, that has a lot of choices for patients themselves to make about what is shared and what is not shared. As we described earlier, as the Summary Care Record is established, if people want to use it, and if patients agree with their GPs to upload more data to it, then it will become richer and more useful. You are quite right, my experience working with many of the organisations representing people with long-term conditions, they feel very strongly that they want to have a fairly rich shared record and they want it as soon as it can be reasonably provided; but we have many interests to balance in trying to achieve this.

Q27 Dr Taylor: Are the psychiatrists on board?

Mr Granger: I think with 30 mental health patient administration systems the people who have received those probably are. There are specific issues with particular patient groups around concerns about the propagation of information, sexual health and other groups. Gillian might talk about some consultation work we have done there. I want to reassure you on one thing around Detailed Records. We have delivered 13 community hospital patient administration systems; 171 community care PASs; 30 mental health PASs. These are systems that have introduced IT for the first time to quite a lot of frontline NHS workers that are shared Detailed Care Records working across communities. You can go to large parts of the country now, including in this city, and see people who were previously using paper notes, having to go back to offices and having to send letters to colleagues within multidisciplinary teams. My wife has worked in a community setting in the NHS and 30lbs of paper was a typical load she was carrying around as a speech and language therapist; and the only way she could propagate information across the community was by posting stuff; she did not have any other systems. A lot of people are getting systems now that do support that detailed care; but we come back to the problem of getting the warring software suppliers to get their software to work across multiple settings. We have achieved quite a lot of information flow thus far. We are running about 200 million interactions now across the spine, and I think you are going to hear from Patrick O'Connell of BT later who runs that service and you can talk in more detail about that. This is a difficult nut to crack because some people would like all information to be available everywhere; and then at the other end of the spectrum there are the privacy fascists who would like to dictate that nobody has any information available anywhere. We have been trying to forge a path between those extremities.

Q28 Charlotte Atkins: Why was it considered necessary to move patient data to national and regional databases when developing the new records systems? Won't central databases be more vulnerable to security breaches?

Mr Granger: I think there are different vulnerabilities. All information is vulnerable. We had to deal a couple of weeks ago with an incident of some PCT records, paper records, being left in filing cabinets that were trundled off to a scrap yard - a not uncommon occurrence, sadly, with paper records, that they go astray. Computers with records on them that are accessible get stolen from NHS premises; and people maliciously try to break into large central databases. No computers are totally secure; and paper records are not secure either. Where you have a situation where information is being freely available on paper within a hospital setting, it has the vulnerability of being browsed very easily by the very people living in the community that the patients come from. The same can be true in a GP practice. Where you have a central or regional database, you have the vulnerability of systemic examination of information either by people from within that community or strangers. We are very alive to that. There are significant sociological challenges in the busy world of health care around the balance between the ready accessibility of information to enable people to do a job quickly and adequate security. We decided in 2003 to adopt the gold standard, as it existed at the time, of Cabinet Office information security, a standard called e-GIF (e-Government Interoperability Framework) Level 3, which means we have issued 350,000 smart cards to frontline NHS staff and put them through a screening process which is not dissimilar to that which is necessary to obtain a passport, and they have had to be vouched for by senior colleagues in order to gain access to information. That has been a laborious process that has been effected through 4,000 registration points. We are the only piece of civil infrastructure in this country that has done that. We have had a couple of instances now, and one was through the ignorance of a temporary member of staff whose contract was terminated as a consequence of it, and the other was a deliberate decision in a busy A&E department. We have had a couple of instances of local variation and breach of the standards we have stood up: one smart card per person; that card must only be used by that person and so on. The technologies to enable us to move to something slicker than the use of smart cards are immature. We looked at using facial pattern recognition, retinal recognition and so on. Fingerprinting is not great. Although it exists as a mature technology it is not great in an environment where people wear rubber gloves. There are quite a lot of form factors around assuring rapid access to information and it being secure in a clinical setting. There are risks to central databases; there are risks to local databases; there are risks to paper. One of my great sadnesses about the last four and a half years is that we did not have the opportunity to spend two or three years doing benchmarking and cogitation because the benefits of getting systems in have outweighed that; but if we had we could have collected vast quantities of information about confidentiality breaches caused by paper; because that has been the status quo, and the risks to patients of paper going missing as well. The same is true of other physical media, like X-ray films. Yes, there could be a risk of having a repository with over 200 million X-ray images on it, and other digital images, but there is certainly a risk if you go to the average district hospital and they have to re-shoot 20,000-30,000 studies a year because the X-rays went missing.

Q29 Charlotte Atkins: Given what has just happened with prospective junior doctors, what confidence do you think the public and patients will have in a computer-based system of this nature? Clearly, there were problems with paperwork; I know there were problems with smart cards left lying about and this sort of thing; but, given that very personal, confidential details of prospective junior doctors have gone public, how do you feel that this is gong to affect the public's confidence in being able to develop a system which is secure?

Mr Granger: With regard to today's news, I am both pleased and sorry that I do not run that system. I am pleased I do not run it right now because it has gone wrong; and I am sorry I did not run it because it may not have gone wrong if I had. The only responsibility I will take in that space is that I unfortunately put the network connections in on time. Of course had I failed to do that nobody would have been able to access it, and it would have been my fault. We have had a great deal of assurance and scrutiny about what we are doing in terms of systems security. No system is ever going to be totally secure, but a remarkable number of the general public do entrust information through electronic channels with far lower levels of security than we offer, whether it is to their bank, when they go shopping, or they accept it as a matter of course if they travel by airplane, for example. I think that what we are talking about is a level of concern which is legitimate, and the balance of the benefits of the new system. I think the benefits far outweigh the disbenefits. We have a number of people whipping up anxiety about the disbenefits. They are rather similar to people who have a fear of flying: are we going to ground all airplanes globally because some people are scared of flying?

Q30 Charlotte Atkins: You have just given assurances to people that because you are personally in control of this nothing is going to go wrong.

Mr Granger: No, I did not say that. I actually said all computer systems are vulnerable, and no computer system can be completely secure.

Q31 Charlotte Atkins: You implied that if you had been running the system that was dealing with prospective junior doctors that there would not be a problem. You have the opportunity now to be able to give assurances that you will put in place systems which make sure that will not happen, except in the most extreme circumstances. What would you say to a nervous patient who is going to give permission for their personal details, very sensitive to themselves, going on this system? Given what was happened with the junior doctors, why should they be confident that the system will work for them?

Mr Granger: I would say three things on that. Firstly, I think we have a high quality team deployed and worried about this issue. It is not something we take casually; it is something we take very seriously. I cannot give you a cast iron guarantee that things will never go wrong because that would be misleading you. We take the matter very seriously. Our suppliers have a track record of working in this space. They all do work for security services, for example; and indeed one of them has a team that largely emanates from a security service running their NHS work now. Secondly, we are introducing this functionality incrementally; so it is not a big bang and we are taking things step-by-step, which is a good way of mitigating risk and examining what is going on before proceeding to the next stage. Thirdly, I would say one of the most worrying aspects of the NHS at, say, 2002, and surveys were done in 2002-2003, is that most people that we serve incorrectly believe that the information from earlier in their care is available at the next stage. We have not until recently started to fulfil that understanding that the public have about how the NHS already operates.

Dr Braunold: Can I come in with a couple of points from my perception? If we were to say, "Okay, let us scrap it. It is too hard, it is too difficult, we should not do this, the risks are too great", my own perception is that the technologies exist for information sharing and what people would do (because I see it already) is start sharing information inappropriately. They would use ordinary email systems, they would send people information that is confidential through insecure ways, and, for me, what the National Programme for IT is really about is spending enormous resources but important resources on getting the information governance right so that we share information appropriately. For me as a clinician, the challenge in the last decade was clinical governance, and when it first came in as a phrase I think many clinicians did not understand what clinical governance was: it was a buzz word; they did not know what it meant. Ten years later, people really understand what clinical governance is, what it means to them as a clinician, and they want to raise the standards of clinical care that they deliver to patients. The challenge for the next decade is information governance. I think if I said that to the average clinician in my PCT, they would not really understand their responsibilities around information governance. That is where we are at now. In ten years' time, I believe that people will really understand what their responsibilities are about protecting patients' data, sharing appropriately information and what their responsibilities are about its accuracy and security. I think that that is why we are doing things very slowly, and incrementally. When we looked at the Summary Care Record we could have said to all 152 PCTs, "Just do it", but from where I am sitting we have to do things very slowly and incrementally and evaluate what we are doing. We have got an independent evaluation that is being commissioned (it was announced yesterday) with the University College of London that will be evaluating all of these access controls that we are describing that are not present in what happened with the junior doctors thing that was declared this morning. These access controls have to be tested to make sure they work as they have been commissioned and tested on a small group of patients before it is rolled out wider. I hope that gives some reassurance.

Q32 Charlotte Atkins: The British Computer Society suggested that you should have a distributed database with information stored locally but accessible in a secure way to clinicians through a web-based search engine. Would that not be a more secure way of doing it and eliminate some of the concerns which patients might have?

Mr Granger: Perhaps we could let you have a note on the number of computers that have been stolen from within the NHS, as best we can calculate it. It is interesting. I do not know whether there are hardware manufactures advising them as well. The costs of doing that are quite significant. You have a complex technical solution. I find it perplexing when we have had 20 years of systems that have been essentially based around a central mainframe or, now, a set of boxes concatenated together with relatively little information getting stored in the end-user domain and it passing securely over networks. We did not want to, frankly, experiment with the very, very large distributed network. None of the leading suppliers of solutions in this space who are willing to bid take financial and completion risk around the delivery came up with that architecture, but they are in the business of actually delivering things, making it work and then getting paid; they are not in the business of producing reports.

Mr Cayton: Could I add, again, perhaps from the perspective of the Care Record Development Board, because the point that you raise, of course, is exactly right. There is nothing more designed to raise people's anxiety than the kind of story that I, like everybody else, heard on the Today programme or read in the newspapers this morning. As I was coming here it was a pretty heart-sink kind of moment to hear exactly that story coming out. What we have certainly always argued is that public trust in this system is fundamental to its success, as, indeed, is clinical trust, and I do not think any of us would be, as Richard has already said, remotely sanguine about the fact that we have cracked this, although I have to say that we have continued to deliver and to solve quite difficult debates and problems against a pretty relentless barrage from those who do not think this is the right way to go. What I would want to say about the confidentiality and security issues is, first of all, that we are continuing, as Gillian said, to improve our control and management of those in the NHS through improved support for Caldicott Guardians, the development of information governance rules and structures. The Government has already announced that it is establishing a National Information Governance Board, which is being supported by the BMA and many others, but really the problems about information governance are about sociology and not about technology; they are about human error, as I suspect the issue with the junior doctors database was, and they are about human wickedness and about people actually deliberately doing bad things with data - stealing it, and so on - but there are over 45 laws that apply to data management, confidentiality and security, there are seven codes of conduct, there are 11 sets of standards and guidelines, and those apply now and they will apply in just the same way with an electronic system, and we have been supporting the Information Commissioner in his bid to increase the penalties for people who maliciously steal and misuse data.

Q33 Charlotte Atkins: Have any other countries developed a similar system - either the one that you are suggesting or, in fact, a local distributed database as is suggested by the Computer Society?

Mr Granger: We have the misfortune of being first out of the gate with quite a lot of what we are doing, and different countries have different challenges, but if you look at provision in large providers in the US, for example, Kaiser Permanente or the Veterans Administration, you find large central databases.

Q34 Charlotte Atkins: We are intending to look at those, yes.

Mr Granger: If you look at what has been done in Alberta, you find a large central database but, in fact, set off with a fantasy of consent for the minutiae of information governance at each patient clinician interaction, and they gave up after about six months because, clearly, the doctors had better things to do with their time. If you look at the proposals that are being worked through by regional health information organisations in the US at the moment, they are about delivering HL7 standards based infrastructure to move information between health organisations, which is exactly what the Spine that we now have working in England does. Some of the smaller European countries have spent 15 to 20 years developing county-based distributed systems at very significant cost, and they have had a lot more time. They have different solutions. A number of jurisdictions are currently out to tender to buy something that looks remarkably similar to that which we now have large parts of working in this country. So it is a mixed picture. The structure of the NHS is unusual compared to other jurisdictions. The arrangements we increasingly have with private sector providers of NHS care and the accreditation process we have around them being enabled to display booking information in GP practices, bookings to be made and to interface with our demographic service and security arrangements, and so on, are models about which we have had visitors from Canada and Australia frequently because they see that as a template for their own arrangements.

Dr Braunold: The other area is that I have done a little bit of journeying inside the UK and been to look at where there are some large databases already that are giving benefits. In Scotland, for instance, there are two million patient records of drugs and allergies that are helping out of hours care in Scotland that are on a single database; in Hampshire and the Isle of Wight there is a repository which holds all of the GP records - the coded section, not the text - and discharge information from the hospitals, and results, and X-rays and letters. There is an enormous amount of information in Hampshire, for instance, on a very large repository. They have all gone for putting information into a big pot, if you like, that various places access rather than distributed choice in those areas.

Mr Cayton: A rather extreme example, but in the Veterans Administration in the States, when they had the terrible floods in New Orleans the Veterans did not lose a single patient record because they were held on a secure database in Texas. Their patients were able to go to veteran hospitals in different parts of America and immediately receive their own patient record, whereas many other hospitals had their entire record systems wiped out. I hope our system will never need to meet that kind of problem.

Mr Granger: I will give you an example of where we have had that kind of problem: the Buncefield oil depot fire wiped out system availability for a number of NHS institutions that had systems run by a company called Northgate for a good couple of weeks, and I understand there may have been data loss as well. We had some difficulties, which I think were growing pains, last year with one of our suppliers who you have appearing as a witness, CSC, where we had some system failures. We did not lose any data and we have, since then, doubled the level of resilience. We do not just have one back-up site and tapes, we have now three back-up sites. There are systemic risks around central systems and there are systemic risks around local systems, and one of things, I think, we need to be mindful of in this country is the mobility of the population. In London one in four patients may change PCT in a year, and having information locked into local systems does not necessarily serve them well. Across the whole country we are looking at increasing mobility of patients as extended choice comes in. We need to be able to move coded information around the country; so I think an architecture that allows an extreme level of heterogeneity of solution and tries to make that standards based. We approached the BCS and asked them if they would like to assist in the accreditation process. It is a question that we continue to work through with them, but there is a balance to strike between having everything that is one (as it has incorrectly been described) monolithic system, having a small number of systems and having massive variability and standards based interaction, because the standards are not sufficiently mature at the moment.

Q35 Charlotte Atkins: You also decided, indeed your evidence says, not to go for any sort of wholesale replacement of existing IT systems. Is not that a change in direction from your original plan?

Mr Granger: There is a mixture. I will be clear with you. We found it very, very difficult to replace existing systems. Brownfield site implementations are incredibly difficult. We did three of them last weekend - Ipswich, Northampton and Surrey and Sussex hospitals. You might have half a million records, 10 to 20% of which are duplicates or corrupted, that have to be cleaned up by staff in the hospital; you might have 30 to 40 feeder systems, some of which require on-line interfaces to the central system; one to 3,000 users operate over one to half a dozen sites in each trust; you have to do the implementation, switch from one system to the other, over a weekend. It is a big heavy-lifting systems engineering job. It is like replacing the core systems in a small government department or small corporation - perhaps a 300 to 500 million pound turnover organisation - in a weekend. They are really difficult to do, which is why we have had significantly more success putting in systems where things did not exist previously or overlaying new functionality. Yes, it is an evolution of what we are doing based on the engineering reality we have encountered. Where we started from in Spring 2002 was a strategy. It was called a strategy and that is what it was. It was not an engineering plan from the ground up. We found data system conversion to be challenging. So we have used a number of existing systems and upgraded them, but that is not the whole story. There are also a significant number of new systems that have been implemented.

Q36 Charlotte Atkins: But you are going to make it more complicated by allowing GPs to choose their own software and, by so doing, are you not then building in issues with it being difficult for those systems to talk to each other and so on? You have gone from one situation to a completely different situation where anything goes.

Mr Granger: From a simplicity perspective for people putting in computer systems that work well across multiple locations, having not too many different types of software is good practice, because when you come to test upgrades you do not have lots of moving parts to enmesh in a complex gearbox. As I said, we have already got 102 different systems that are tested to run over this Spine, so it is already a heterogeneous national IT environment in the NHS in England. We got the message loud and clear from a number of GPs that their affinity for their existing software exceeded what they saw as the value of replacement, and we listened to that. Notwithstanding that, about one in ten GP practices now has a system that had very little penetration five years ago from a company called TPP. There is not enormous liquidity in that market place, there is one dominant player. It is very complex to do the data conversion, but we listened to what GPs wanted.

Dr Braunold: One of the biggest challenges for me when I was brought in as GP Clinical Lead to do some of the engagement work with my colleagues was that clearly we had GPs (and I speak unashamedly as one of them): is how on earth could you engage GPs about something that I think is going to be one of the greatest opportunities for health gain in my generation if we get this right? On the other hand, GPs are at the forefront of computing in the world, frankly, and the risk of losing some of that enormously rich functionality for the greater good of going to some lowest common denominator was the fear; so we needed to find a solution which would continue to engage my colleagues and make sure that they did not lose the functionality that they were enjoying as we moved forward. We engaged with the programme as Clinical Lead and said: how can we move forward on this issue? It was a really important issue to get right. The GPs System of Choice, which is the OJEC which is going on at the moment, which is an enormously important lever forward for the programme and for GPs and for twenty-first century computing for general practice, enables continued investment in suppliers that are able to meet the standards of the National Programme for IT and show a migration path against the things that the programme is to deliver. Dr Cundy, who you are going to hear from after us in the next session, who is Chair of the Joint GP IT Committee, was one of the GPs that I asked to go to do one of the evaluations of the suppliers who put in to be part of that OJEC. Unlike some of these European OJEC things - those things are usually trying to bring it down to one person to win - this was not an exclusive tendering. It is intended to be open to anybody who wishes to take part who can meet the standards, and as long as they can meet the interoperability standards and the standards that we require for interoperability and a pathway towards integration, then they are welcome to join in, and I am sure you will ask him some more about GPSoC, which has had full, wholehearted support from all parts of the GP economy.

Chairman: We are now going to move on to some questions about timing and timescale. It might be appropriate if I mention at this stage that we are about six minutes away from what we thought would be the end of this session, and in the light of what is in front of me and around the table, that is not the case. I wonder if I could ask for sharper questions. I understand the need for you to have your say, but sharper questions and sharper answers.

Q37 Jim Dowd: You have just stolen my line. I was going to say the whole of the IT project is running behind time and so is this session of the Committee! In part of the evidence it says, "The transformation from paper to digital information will take place gradually up to 2010 and beyond." That sentence is impenetrable. What the hell does it mean and what is the significance of 2010? If it is gradual to 2010, what will it become afterwards?

Mr Granger: If I could just say one thing as a matter of record. It is inaccurate to state that the whole of the programme is late. That is not true. Some of the programme is late, some of it is on time and some of it is early, and that information has been available and certainly the clerk of your committee had some information to that effect into the progress we have actually made.

Q38 Jim Dowd: Can you now answer the question that I asked you?

Mr Granger: Getting hospital doctors' paper-based notes on to computers, for example, or structured communication between hospitals and GPs, requires a level of consensus from the end-user community which cannot be ignored or ridden rough shod over. So, we will not have a paperless NHS for a long time, in fact, we may never have a paperless NHS, because it may not be worth computerising and going to a paperless environment for absolutely everything that we do. Less and less paper is circulating in the NHS. So, if you go to hospitals that have got---

Q39 Jim Dowd: That is what it says. It does not say it might never be completed, it says it will completed but it is vague about when it will be completed. Are you saying this characterisation is just inaccurate?

Mr Granger: No, I am saying it is gradual. Most of what we set out to do in 2002 will be completed by 2010, but during that time a number of other things are now being computerised as well.

Q40 Jim Dowd: Also the Patient Administration Systems have been delayed because they are replacing "legacy" systems. Briefly, can you tell us what defines a "legacy" system and why was it chosen to do that rather than starting from scratch? This must have been understood at the outset, surely?

Mr Granger: There were about 180 major systems installed in hospitals in England in 2002 that ran the core administrative functions, and some of those have already been replaced, some of them have been upgraded.

Q41 Jim Dowd: What is a "legacy" system?

Mr Granger: A system that was already there in 2002.

Q42 Jim Dowd: So where it says "an existing legacy system", the "legacy" word is redundant. You mean existing systems?

Mr Granger: Yes. You have my apologies for the tautology in the drafting.

Q43 Jim Dowd: Why was it not decided to start with these systems from scratch?

Mr Granger: Because there is a vast quantity of data on the existing systems and hundreds of thousands of people trained to use them, and we cannot simply turn them off overnight and wait whilst suppliers develop new ones. The act of replacement, as I described a few minutes ago, is a complex process that, in a hospital setting, you typically have to do over a weekend, and you cannot do the whole of the country in a weekend, or you would be very naive if you tried. It is a gradual process. It is taking us longer than was envisaged in spring 2002, the suppliers have found it more difficult, the data quality is poorer than we thought it would be and it is a difficult job, unlike, for example, putting in picture archiving systems, which was not in the plan in 2002, which we have made excellent progress in and are running to schedule.

Q44 Jim Dowd: That leads me to my concluding question. We have received a number of submissions, one of which says that "for the first three years of the programme, NPfIT was driven in an environment of ignorance of the true NHS environment". Is that why delivery of the new systems has slipped so far behind schedule? Do you respond to that as an accurate assessment of the position before you had any responsibility for it?

Mr Granger: I do not know whether that is evidence you have received from an individual who has been personally disadvantaged by the programme so much or what the perspective is. The fact that we had an awful lot of staff who had ten, 20, in some cases more than 20, years' experience of working in IT in the NHS, working at the core of the programme, using materials that they had developed over that period, I think is a statement which does them a great disservice. I do not recognise that environment at all.

Q45 Jim Dowd: What are the main causes then for the delays, if it was not the fact that the whole thing was far more complicated than was envisaged in 2002 and that the expertise and the assessments of 2002 were fundamentally optimistic and inaccurate?

Mr Granger: Some areas of the programme have got delays, others have not. In terms of the overall ten-year programme that was set out in the contracts we have put in place in 2003/2004, we will get most of that work done during that ten-year envelope. I have talked about the fact some aspects are more complicated, others have been quite straightforward. To have gone from an NHS which only had about 10,000 places connected up to the Internet in 2003 to the delivery of a 19,000 end-point network which is backed up everywhere with secondary circuits three months ahead of schedule is not late and is a greater scope than was originally envisaged. To have completed at the end of March the roll-out of picture archiving across the whole of the south of England and London, which was not in the original work programme, is not late; it must, by definition, be early.

Q46 Jim Dowd: One last point, Chairman, and I accept your exhortation about moving on rapidly. When you say it has got more functionality than originally envisaged, is that because the original estimates were just wrong?

Mr Granger: I do not know of a large-scale IT enabled transformation programme in a complex organisation that from its starting point to its mid point has a direct correlation. I think it would be a fantasy to imagine. I know people write fantasies, but in the real world it would be ridiculous to imagine that halfway through a ten-year programme you would only be doing the same things as you set out five years ago. I will give you some examples in addition to the digital imaging. Putting in a new secondary uses service, putting in an email service, putting in the standards for GP to GP record transfer, putting in a new payment system for GPs, taking the atrocious batch legacy number systems that the NHS was reliant on and putting in fresh, modern on-line databases, putting in bowel cancer screening systems, none of those was envisaged in 2002.

Q47 Jim Dowd: The electronic X-ray storage was?

Mr Granger: No, it was not. It was not in the strategy document in 2002.

Jim Dowd: Okay, we will come back to that.

Q48 Sandra Gidley: You have been very bullish about the fact that extra things have been added since the introduction of the system, but you have played down rather what has been delayed. Do you accept that the electronic record system has been delayed?

Mr Granger: Some aspects of it have been delayed by 24 months.

Q49 Sandra Gidley: Is that because of taking on extra tasks or is there another reason?

Mr Granger: The consultation process has been far longer than was originally scheduled, because the work that had been done in 2000 to 2002 by way of preparation required significantly further work. I will not say it was defective, but the work that my colleagues have done around patient consultation and consultation with the professionals who are using the system created an environment in which the specification that was drafted up in 2002 had to evolve, and until the specification was stable it would have been inappropriate to have got on with finalising the software because it would have had to have been reworked at a cost to the taxpayer, to strike a balance between consultation, a ministerial taskforce, professional involvement and rework work that had been undertaken by Anthony Nolan, in particular, through in 2002.

Dr Braunold: I think it may be worth explaining a little bit more that some of the work that Dr Taylor was referring to earlier about how are we going to get to where we are going to in terms of the picture on the lid of the jigsaw puzzle, that consensus building about how it would work - engaging with clinicians and making sure that they, as people who are going to be using the system, has taken time to engage with clinicians and gain consensus about prioritising what will come around the consent model which has taken a very long time - has been very difficult to move forward on content and design in some areas when you are still having discussions about the consent model.

Q50 Sandra Gidley: You have both talked about engaging clinicians. I found it quite interesting to note that the Royal College of GPs, NHS Alliance, the Royal College of Surgeons, the Royal College of Nursing, the British Medical Association, amongst others, all in their submissions to us mentioned that there had not been sufficient engagement with clinicians and with patient groups. A number of patient groups commented in the same way. Is this a bit after the event that we are talking?

Dr Braunold: I am the fourth attempt at clinical engagement. That is the tier that I am: the National Clinical Lead.

Q51 Sandra Gidley: You are "the fourth attempt". What does that mean?

Dr Braunold: I will explain that. There were other clinical engagement efforts that happened before the National Clinical Lead's appointment, three previous ones, and the National Clinical Lead's appointment was praised in the report from the Public Accounts Committee and the National Audit Office in terms of starting to make real efforts and quality improvements in the clinical engagement with the community. We were sponsored by the BMA and the Royal Colleges as jointly owned individuals who were accountable back to those bodies and as named individuals that they would be prepared to work with who were sponsored into the programme.

Q52 Sandra Gidley: How long have you been involved?

Dr Braunold: Two and a half years. I was nominated by the BMA. I was nominated by the General Practitioners Committee. My job-share, Professor Mike Pringle, was nominated by the Royal College of GPs, and we two together work as clinical champions from the general practitioner community with a track record with GPs, who are accountable back to the profession, for making sure that systems are built that are fit for purpose from a GP perspective, and it is our responsibility to do an ambassadorial role for the National Programme from a General Practice perspective. There are equivalent roles to. We have hospital doctor colleagues, Dr Simon Eccles and Mr Ian Scott, and we have Jan Laidlow from the Allied Health Professionals and we have our nursing colleagues. We have done quite a lot - I think it is an enormous amount - in terms of setting up advisory groups and interfaces with our colleagues and making sure that they are involved at every stage in every important programme. There is a National Clinical Reference Panel for the Summary Care Record for which every one of those colleges has been asked to nominate people who are able to make sure that the Summary Care Record has the right advice about what should be in it and what should be not in it and that it fulfils the criteria for the Care Record Guarantee, and that has all been slowing things down, frankly, from the original intention because we wanted to make sure that it had proper clinical sign off, and that tension is evident.

Q53 Sandra Gidley: But that is only the last two and a half years. What engagement was there in the first three years?

Mr Cayton: Could I come in here. The Care Record Development Board took over from two committees, one of which was called the National Clinical Advisory Board, on which every single one of those bodies was represented, and that existed well before I became involved in the programme. So, if that group, which consisted of the Royal Colleges and their colleagues, was not delivering four years ago, that is actually the responsibility of the clinicians who lead those colleges. I have had innumerable meetings with Royal Colleges and with the Pharmaceutical Society, and so on, over the last three years. I have had very positive relationships with them. I have actually found them extremely constructive in practice, and I think we are just in one of those situations where what people say in public (because it is a posture to take), "We have not been adequately consulted", is not the same as what is happening in practice. We have had patient organisations involved throughout. Only last week we had an open session in which we had over 30 patient organisations taking part, the Care Record Development Board has an annual conference which is open to the public, and to the press, and to clinicians, and we have had over 100 patient organisations and certainly over 350 people attending those conferences every year. We have actually done a great deal to try and engage with clinicians at all levels, and certainly, since my involvement, I have been personally entirely committed to that process.

Q54 Sandra Gidley: How long have you been involved?

Mr Cayton: The Care Record Development Board was set up three years ago.

Mr Granger: It is undoubtedly the case that we could always do more in this space. It is undoubtedly the case that the concept of professional consensus about some of these issues is challenging. Generally, when you put disparate professionals together on some of these issues, you do not get agreement, you get at least one opinion per person.

Q55 Sandra Gidley: That is within a profession?

Mr Granger: Yes, a medical consensus is undoubtedly oxymoronic, but if you look, for example, at your profession, would you like us to wait until the pharmacists and the GPs agree on how much data would be visible in dispensaries, or would you like us to get on and roll out electronic prescriptions with the benefit that that delivers? We have those challenges across the whole programme because the tribal nature of clinical practice means that these different groups all take different positions and different postures, and we have tried to strike a balance around achieving progress rather than just wait for everybody to agree. I suspect we would be waiting an awful long time.

Q56 Sandra Gidley: I gather the prescriptions are problematic as well, but we are not here to discuss that. We can probe this further with those groups themselves. My final question at the moment: why has so much effort been diverted into Choose and Book rather than into the detailed clinical systems that actually support patient choice?

Mr Granger: I will ask Gillian to come in in a moment on this. If you look at the strategy document from 2002, you will see Choose and Book did not exist. What you will see is electronic booking. One of the many areas where we got additional work was the delivery of choice, and electronic booking was quite a straightforward proposition which had been extensively piloted, which was about packaging up a referral and sending it electronically. The delivery of an on-line booking system that produces a confirmed appointment connecting up the best part of 10,000 locations with an on-line processing system is something that is far more complicated. So, the task got more complicated with the announcement of choice. It is a government priority and it has been first out of the gate in terms of putting on-line connectivity into GP practices, and it is dependent upon a lot of different moving parts, all working at the same time, only some of which are controlled from the National IT Control Centre in Leeds. I can vouch for the network, I can vouch for the Choose and Book system - I know when that goes down. I run some of the PAS systems already, I only run some of the GP systems. All those bits all have to work in order to complete the transaction. Gillian, you are a user of Choose and Book.

Dr Braunold: I am, and I think that some of the issues are that Choose and Book, being the first out of the stable, have had to take the pain of connecting to the Spine. So, the first thing that people know of is their smartcard. I have heard so many GPs and colleagues around the country call it their Choose and Book card, because they think that this is only to do with Choose and Book and they do not think it has anything to do with the rest of what is being built, and actually it is their key, as guardians of NHS care records, of their patients' data. It is far more important than Choose and Book, but it is just that that is the first out of the stable. It is also, of course, informed around whether there were speed problems, problems with your network or, more likely (which we found to be the case), sometimes it is actually the configuration of the computers at the end-user end, which does not change the experience of the person at the end, although it is taking a long time for it to work, and complaining about Choose and Book when actually you need to do some further diagnosis about what is going on under the bonnet. Choose and Book has had to take a lot of pain, but an enormous amount of the issues for me have been around performance managing the take-up of IT. Speaking as a GP here, and I do not have anything to do with the delivery of Choose and Book from the Department of Health perspective, I personally believe that targets are not the way to get people to use information technology. The NHS is commissioning tools that it expects people to use, and it expects people to use them if they derive a benefit, and I know that clinicians will use tools and use them to greater effect when they see them being beneficial. As you start to find a better use of service delivery because you have got a tool, it spreads like wild fire and people use it more and more, but they need to have time to grow into using those things. I actually believe that the rest of the service which we have protected from having any kind of targets, like the Summary Care Record, and letting PCTs go at their own pace when their GPs and PCTs feel ready to go with the Summary Care Records, is a really important part of how that is going to go forward and grow with confidence, and when people are ready to go they will try it out. I have no doubt that the value of a coded record on the summary, as people see suddenly they have got access to care pathways because they can click on the code, will have GPs and patients crying out for the Summary Care Record faster than we can deliver it.

Q57 Chairman: We did discuss the issue about the content of the Detailed Care Record when we were having the earlier exchanges. What do you say to people who say that the main plank of that - the PAS hospital system being developed by Lorenzo, Millennium - is not going to be providing what they were originally providing. Is that because it is a moving picture? This is an accusation that has been put to us and I put it to you to answer.

Mr Granger: I think the problems are different. The Millennium product from the Cerner Corporation is a very rich system, as I say, in use by a third of hospitals across the US. There are two issues with that. One is the Anglicisation of it so it does things the way we do things here, where we want to, and in some cases we may want to do things differently, so that is a problem with that product. Can we change it as much as we need to and can we take the good things from it, which we currently do not do? That is a kind of process redesign issue. The Lorenzo system is a new build system. What has in fact happened for the first time under the national programme on Saturday morning in Ipswich was that the latest upgraded version of the old product was implemented with quite a lot more clinical functionality, but the core problem we have with Lorenzo is building a new system, a task which is estimated to cost around 250 million and is taking longer than the prime contractors that brought that to us (Accenture and CSC) estimated and has caused the company doing it (iSoft) significant difficulty. In the meantime, we have been getting on putting in systems which deliver immediate benefit and are a transitional step, and with that system we have a problem of getting sufficiently rich functionality developed, but we do not have a problem with Anglicisation because its heritage is in the UK. These were not unforeseen problems, which is why, unlike a lot of other major procurements, and not just in the public sector, we did not just go with one solution. We did not go with a plethora of solutions because of the cost and inefficiency of that, we went with a couple of solutions. It is also why we deliberately did not contract with the suppliers of those systems, because they failed financial viability and scale tests that we set as part of the procurement, and, again, you can see with the passage of four years the accuracy of the procurement approach, which we published in January 2003, and what has actually happened by spring 2007. It will continue to be difficult and, of course, if it was easy from the late eighties when the other major paper factories of civil administration in this country got computerised, it would have already been done. The reason health is being done last is because it is most difficult. Building the software to satisfy a highly educated end-user group who often have quite difficult circumstances around balancing time between accessing data, entering data and dealing with patients creates lots and lots of specific problems.

Chairman: Thank you for that. We are going to move on now to one or two questions about patient consent.

Q58 Mr Jackson: In the pilot of the Summary Care Record, there is an assumption that patients have consented to having their data uploaded into the new system if they do not specifically opt out within a certain period. Is this approach consistent with patients having more control and ownership over their personal data? Can I just say that in evidence we have recently received the point has been made, "We are very concerned that Connecting for Health's insistence that section ten of the Data Protection Act 1998 should remain the exit justification for patients who do not want a Summary Care Record. We believe this is counter to Lord Warner's verbal assurances and also all ethical, professional, moral and legal principles." What is your response to that?

Mr Cayton: It is an awful lot of moral, legal and ethical principles to be against at the same time, and my first statement is I try to be in favour of most legal, ethical and moral principles.

Q59 Jim Dowd: But you are not dogmatic!

Mr Cayton: Let me start off by trying to outline the position that was taken by the ministerial taskforce, because that is the position that we are currently in, and also by clarifying, I hope, what Lord Warner said when he announced that the department was accepting the recommendations of the taskforce. The fundamental debate (and it is an entirely legitimate debate, and I do not think any of us have ever suggested that we take this in a trivial or light way) is a debate between the utility of having a system where informed consent is required explicitly from every person and a system where it is clear that consent is implied and informed consent is a matter of choosing not to take part. We debated that quite robustly in the taskforce, and it is quite clear from experience in other countries and in other systems that if you have an informed consent to be part of the system, then large sections of society, particularly some of the most vulnerable people in society, do not take part. They do not take part because they do not know how to give informed consent, they do not take part because they do not understand what is being asked or offered and they do not take part because of physical immobility - so older people, some of the frail people living at home in the community who might be most likely to benefit. So, there is that issue that arises, an equity issue, and you have to start by believing this is a good thing, which clearly we do. So, there is an equity issue. Are we going to deny the good thing to a large group of patients in the population and, secondly, there is a practical issue for doctors and GPs in particular. We did a sort of back-of-the-envelope calculation, which I am sure we could try to do more accurately if you wanted, and we worked out it would take 100 years of GP time to go through the consent process for every single patient in the country. We were not sure that was ethically a good use of people's time. We came to the agreement (and this was an agreement absolutely with everyone on the taskforce) that the model that we had adopted which said we will inform people very carefully about what is being done, we will give them every opportunity to choose not to take part if they wish to, was the most practical, ethical and appropriate way forward. Clearly there can continue to be a debate about that, but that is the position the taskforce took, including the BMA and the Society for Emergency Medicine and the patient organisations who were there. The recommendation that we should do that and that we should allow people who did not want to have a record to have a number of different positions that they could take: one is to have a shared record but not allow anyone to see it - so to have it uploaded but locked down so that at some stage in the future, should they change their mind, they might be able to unlock it - or not to have any data uploaded to the system at all. The issue that I think your evidence raises around section ten of the Data Protection Act is that we believe that the processing of data in the NHS is actually a requirement for the proper functioning of the NHS. So, for that reason, in order to secure the proper functioning of the NHS under the Data Protection Act, we merely require people to sign a form saying that they understand the consequences and the choices that they are making when they opt out from the system. It is not intended to be in any way a sort of Draconian system, it is not intended to ask anyone to prove anything under section ten, it is merely in order to secure the legality under the Data Protection Act of processing data.

Q60 Mr Jackson: Thank you. That is very comprehensive. Chairman, could I ask two brief supplementaries? Have you estimated the impact of how many patients might opt out and what impact that would have on their application, and, very briefly, with regard to GPs, are you absolutely sure that there are issues about breach of confidentiality for GPs in the system, albeit inadvertent, and their liability for it?

Mr Cayton: Let me take the first one first. Of course, these are only provisional figures, but there are 10.5 million people in Scotland in the Scottish system; there have been 593 opt out requests in Scotland, which is 0.01% of the population. In Hampshire and the Isle of Wight system, 690,000 people, 1,050 opt outs, 0.15%. In the Early Adopter Programme so far in Bolton 0.17%, and in the Wirral 0.01%. So, we are talking about less than 1% of the population when people have the system clearly and properly explained to them and they know what is going to happen in practice.

Mr Granger: Not the big opt out.

Q61 Sandra Gidley: Excuse me, I live in Hampshire. No-one has clearly explained the system to me. I very rarely go to my GP. How am I supposed to know whether I need to opt out or not?

Mr Cayton: I will turn to Gillian because she is working on the Early Adopter Programme.

Dr Braunold: In Hampshire (and it is some time ago) leaflets were sent to the population. I am not responsible for Hampshire, but we have taken some learning and I can take you through how we are not happy to do it the way Hampshire did it, which is where we have been criticised for not listening. We have been listening very carefully to the ERDIP (Electronic Records Development and Implementation Programme) project, which Hampshire has been, which is one of the NHS IA projects on the electronic healthcare record, and they did a mailshot to every household. We have learnt from what Hampshire did, because we believe that it did not go to every person who needed to learn about it, and I have learnt more about the junk mail rule than I ever want to know, but it exists and you need to send to every addressed adult in order for it not to get thrown away if you have got Safeways or Tescos trying to tell somebody something at the same time. Not only are we sending to every address but we are sending to every adult over the age of 16. Originally the Information Commissioner asked us to write to every adult over the age of 18, but my colleagues in Bolton came back to us and said, "But we have got adults between 16 and 18 who do not live at home", home being with their parents, "they live at another registered address." So, we went back to the Information Commissioner and said, "What do we do about that?" and he said, "Okay, you can send to 16 year olds." So we have now sent to the 50,000 patients who are registered with the first nine practices that we have gone with in Bolton. We have written to everybody, not only those who are 16, but everybody who is going to be 16 over the first three months of the pilot, and they have been sent addressed leaflets. But we do not rely just on that leaflet campaign, we have to then do other methods of communication within the area. There have been lots of newspaper articles and other methods of getting into communities that are going on at the moment in Bolton. We have been stuck a bit by purdah. I am being perfectly honest. From March 15 onwards on has not been a brilliant time because we are now in purdah, and until May 4 we cannot do much more in terms of a public information programme in Bolton; but the minute we get past the May elections, we are allowed to do something that is being interpreted as political process because of the political nature of this discussion that we are in now, so we will be able to do a much wider advertorial campaign. We are doing information booths and a public information programme within Bolton where people are coming in, for instance, to Lever Chambers and they asking in depth questions. We have sent out around about---. You have got the figures, Harry, of how many leaflets we have sent out to people in Bolton. There have been requests for something like 900 sets of confidentiality packs from the Bolton population from the 50,000 that we sent out and about 400 of those were altogether from people who had various difficulties, and I think about 60 of those have gone to people with limited eyesight - Braille versions and large print - so we know that we are getting there. One fact that you might find interesting is that I thought maybe people were not reading the leaflet. You know, you send a leaflet to people houses. How do we know they read the leaflet? Unfortunately, we got one letter wrong to one practice. It said that they were registered with a different practice. We had hundreds of phone calls from patients who said, "You say I am registered with practice X instead of practice Y." So they were doing some reading of the material that we were sending them. Nevertheless, the whole project is to be evaluated to check, not only the consent model, but the quality of the information programme that we are doing, because the consent model is predicated on informing the population and, if the population is not informed, the consent model is inappropriate. So, we have an independent evaluation that has been commissioned that is starting on 1 May, and that will look at all the different communication methodology that we are using in Bolton, and it is not just an evaluation for Bolton, it is the whole Early Adopter of the summary record in its first year that is being evaluated, and we are testing different methods of communicating with the patients who are being affected.

Mr Cayton: The Care Record Guarantee is now available in 16 languages, and we are increasing the number of languages as we go. I have brought some examples here if you would like to see them.

Q62 Mr Jackson: I did not get the second part answered about the concerns that GPs have.

Dr Braunold: Very briefly, I did 22 road shows with Professor Pringle across the country and we had concerns from GPs around the time taken to consent, which was, I think, the biggest concern that people had. So, what we are doing with my colleagues is looking through the data quality, which is really important, so that they do not inadvertently send erroneous information. We know that the dataset that is being uploaded in bulk is the drugs and allergies. The reason we have chosen that (and it took some discussion with colleagues across the country about going for that model) is because the drugs and the allergies are likely to be the most accurate subset of information. We are all using datasets, formularies, if you like, so it is not free text, and it is very likely to be accurate, whereas the summary of the significant medical history has the potential to be inaccurate, and that is why it is not going in a bulk, it is going opportunistically one by one so that there is the checking of that by the patient and the doctor before it is submitted. Part of the model is that those are only submitted after a conversation with the patient, and how that is being done is being worked through by our colleagues on the ground who are prepared to put that pain in to testing different models and seeing which works the best.

Q63 Chairman: Thank you for that reassurance, Dr Braunold, that a leaflet delivered through a letterbox is actually read. It is something that some of us have doubted from time to time in this profession. I would like to ask you very quickly what level of consent will be required for the Summary Care Record data for secondary purposes such as clinical research?

Mr Cayton: The law will not change in any way whatsoever, and the law is clear that patient information can only be used for clinical research with consent or entirely anonymised, or, exceptionally, with the permission of the Patient Information Advisory Group which gives section 60 approval as part of the 2002 Health and Social Care Act. The two grounds on which the Patient Information Advisory Group will give consent, which is obviously a parliamentary matter, is if it is clear that getting consent is either impossible or so onerous that it is not appropriate and the public benefit of the research is so great that it justifies doing the research without getting consent. There will not be any difference whatsoever in the legal position of people's data in terms of research with an electronic system than from now. I am just grabbing this back, this particularly useful piece of paper. To put this in context, Biobank, you will be aware of, has recently started to invite members of the public to take part in research. I have to say I was personally quite sceptical and I have been quite interested by the fact that 10% of the people mailed by Biobank in their pilot in Manchester actually responded positively to the invitation to take part in research, and, although a number of those people (and again I am surprised how few but I think it is interesting) wanted to know how their name and address came to be selected and wanted to know who had sent out their name and address, of the very small number - 23 who wanted to know how they had been selected, 25 who wanted to know how their name an address was obtained - after they had had a discussion with Biobank 50% of those people continued to go forward to take part. So, I think what this is suggesting, not in any way that we should move away from consent for research, which I think is very, very important, but that the public in this country still have very strong communal interest in clinical research and in a common ownership of the Health Service, which I think is one of the wonderful qualities of our Health Service, that it is a joint enterprise and not a set of private contracts.

Q64 Dr Naysmith: Good morning. Mr Granger, I understand that it is proposed that patients will be able to put some or all of their data into electronic sealed envelopes if they choose to do so, but I also understand that the technology to allow this to happen does not yet exist, is that not rather astonishing?

Mr Granger: Is it astonishing it did not exist by 2002, or is it astonishing that it does not exist yet?

Q65 Dr Naysmith: Is it not astonishing that it does not exist yet? Is it an oversight that we are starting talking about it and yet the technology is not there to do it?

Mr Granger: No, because the consent model which you have heard about around the Summary Care Record has dealt with whether people would like their information withholding or not and the variety of arrangements there, and I think we circulated some information to you around that. It becomes necessary as we move into segmenting a record with the detailed information that will follow as the system evolves. It is difficult to specify, difficult to develop and it reflects the views of certain groups of patients and certain groups of experts, and I think as we go through the evaluation process with the Early Adopters we will get a better understanding of whether we have got .2% of the population potentially driving a very large amount of expenditure on computer software when 99.8% of the population have a very simple requirement that the NHS treats them as safely and as efficiently as possible. So, I think the sequencing is rational based on the way the programme is going.

Q66 Dr Naysmith: When will the sealed envelopes become available? When will that technology be available? Are you saying that it might not if it is such a small proportion that it does not matter?

Mr Granger: The current proposal is that the Spine central infrastructure software release programme in April, May 2008 will deliver the central functionality for sealed envelopes. I do not wish to mislead the Committee. You must recognise that the systems that feed in and out of a central system will also have to be upgraded to comply with that, and one of the challenges we have is that this is not a requirement in other jurisdictions. We have got a plan to deliver it.

Q67 Dr Naysmith: Is it a requirement anywhere else?

Mr Granger: I am not aware of other---

Dr Braunold: I think in France there is a sealed envelope functionality. My French is limited, but what I read of a translated grid showed a sealed envelope functionality with the two levels of sensitivity very similar to the one that we have suggested here, and I think some of the delays that Mr Granger was referring to---. We did a risk assessment of the original sealed envelope proposal through our clinical safety arm of Connecting for Health, and it became very evident that we were at risk of breaching the very confidentiality that the sealed envelopes were there to protect if people did not use them properly. So, you have got this balance of business process and the human beings in the NHS who are not used to this new way of thinking that might well not use the software properly when we design sealed envelopes to protect patients' particularly sensitive items. The other risk was that if we did not have the functionality right, then large swathes of the population would opt out because they would have no confidence in the system. By opting out I mean that they would choose not to share their information. We did some work with the technology office and with clinicians around the sealed envelopes proposal that I have given you as a power point, and I am well aware that the Committee is running late and I am very conscious that you probably do not want me to take you through it, but what I would like to say is that we have proposed two levels of sensitivity there, a normal sensitive barrier that would give an audit trail if somebody opened it who did not have express permission to open it, and a sealed and locked version where it is not even visible outside of the work group you are in. We took that to the most challenging group of doctors of all that exist - not just doctors, clinicians I should say - the Sexual Health Conference that the CFH ran last month, who are the most sceptical that the confidential data that they deal with in the GUM clinics will not be adequately protected. We took them through the sealed envelope proposals that we have and how we think it will work and we asked them in the evaluation: "On the basis of what you have heard, would you support your local sexual health service using the NHS Care Record Service? Please scale your answer using (1) not at all to (5) very much." I will submit this as a note, but the evaluation showed that 23.8% were on three, 23.8% were on four and 26.2% on five, and the people who were on not at all or the next grade up were 2.4% for each of those categories.[1] So, we were very, very pleased with that outcome for the most challenging group, that when we explained our proposals for simplifying the sealed envelope structure but making it fit for a purpose, we think that we have got the technical specification right for the service.

Q68 Dr Naysmith: You still have not answered my question when you think it will be.

Dr Braunold: Two thousand and eight.

Mr Granger: Software drop, April, May 2008.

Q69 Dr Naysmith: You are confident you will meet that target?

Mr Granger: BT have delivered every one of their central software drops on time for the past 18 months. There was lots of delay before that, but this has become quite a reliable delivery environment now.

Q70 Dr Naysmith: I understand you also commissioned a risk assessment report last year suggesting that it would be best to hold information like this locally rather than on a central database?

Dr Braunold: That was the risk assessment process that I was referring to, which looked at how would we use it and were there risks associated with it; and we redrafted it in line with the recommendations of that risk assessment report.

Q71 Dr Naysmith: So it does follow that?

Dr Braunold: Absolutely.

Q72 Dr Naysmith: You were talking about the presentation you let us have. On the last page it says that information in sealed envelopes can be pulled off for anonymised secondary user purposes, but SUS information data is not always totally anonymous, is it, because it includes postcodes and date of birth?

Dr Braunold: That is what pseudonymised is. Pseudonymised, which is one of my most challenging word to spell, means you could get to some part of the demographics without knowing the full name and address of the patient.

Q73 Dr Naysmith: But someone can find the full name and address of the patient from date of birth and postcode information?

Mr Cayton: I would just repeat the point. There is no difference in the legality or in both professional and legal frameworks. This is a process of clinical research now and there are very, very strict guidelines. My view is that because of the audit trail, for instance, and some of the other securities that lie within the system, the new system should actually allow better use of fully anonymised data. I should say, there is a secondary uses working group of the Care Record Development Board which will report in the next month or so, and that group contains a large range of both patients representing sensitive issues, such as mental health and HIV, and researchers and clinicians. It is chaired by Sir Robert Boyd and I am looking forward to receiving their report which will have a number of suggestions, I think, to even further increase the safety and security of the use of records for clinical research, which I think we all want to achieve because it is in all our interests to continue to do clinical research, including on mental health and HIV.

Q74 Chairman: I think we are down to the last question, and I would like to ask it of you, Mr Granger. We have had a number of submissions that you will be amazed to know about that say there should be an independent technical review of the national programme. How do you respond to this?

Mr Granger: I am interested as to whether the people calling for that are, indeed, themselves independent. We have been as a programme the subject of significant scrutiny, both from the NAO and the Office of Government Commerce and a number of reviews which we have commissioned as a consequence of events or concerns that have occurred over time. Ministers took a decision last year that there was no benefit in a further review of the programme being undertaken, and that was the position that was set out by Lord Norman Warner in the spring of last year.

Q75 Chairman: A technical review is a bit different to reviewing all the issues that are floating around in the media quite a lot of the time. Is that your understanding in terms of overruns? Would it seek to get answers to questions that some people believe remain unanswered.

Mr Granger: We know from 350,000 people using systems that did not exist four years ago with billions of pieces of information flying around the network that did not exist, with hundreds of thousands of people using a security framework that did not exist. At what point do we get to a situation where people's research tool, which is Google, is actually thrown out? They would not go shopping for health advice on Google, but they somehow consider that they can vicariously analyse the performance of a programme using generally inaccurate press coverage. I am not sure. Do we have to get to 500,000 users? This programme was always going to be very challenging; it has been very challenging; it will continue to be very challenging. Where there is specific expertise that is going to work from an evidence base and improve what we are doing, reduce errors, reduce time overruns, I would say with the time overruns that one of the problems with this programme is there was no financial contingency. So, as a programme director, quality, functionality and time are the three things that we have to deal with and the only expression of dealing with problems on this programme is necessarily time, because we are operating within a financial cap and the functionality demands have tended to increase rather than decrease. If there are people who want to work from an evidence base, the door has always been open for them to come and work with us, but people who just lob cold collations of negative media coverage in so-called dossiers hardly do themselves a service as a serious group of people that are working from a robust evidence base.

Q76 Chairman: They and others around could influence public opinion about this problem.

Mr Granger: Undoubtedly they do.

Q77 Chairman: Would such a review increase, or be likely to increase, public confidence in the programme?

Mr Cayton: Might I just come in there and say that it seems to me that---. I have always said that the Care Records Development Board deals with the issues to which there is no right or wrong answer, only the best answer we can come up with. If there was clearly a right answer to some of these difficult issues, then we would not need committees and we would not need inquiries to look at them. It is only because they are, inevitably, contested issues, both in ethical terms, in terms of good clinical practice and in terms of the functionality of IT systems in the modern world. My feeling is that, through the systems we have got in place, there is a very robust system now of involvement and engagement through the Care Record Development Board and the National Clinical Leads and a large amount of public scrutiny, which I welcome, because I think the kind of scrutiny this Committee gives is part of a proper process of examination of what the programme is doing, we have to move forward on that basis. If we keep going back and saying, "Because I disagree with a decision that has been reached through a public and accountable process, I now want to unpick everything", we will never deliver and the people who will, I think, not forgive us are our children, who live in an IT enabled world now and, I have to say, will be very surprised if in 50 years' time we are saying to them, or perhaps not us, but our children's children are saying to them, "Oh, we gave up because it was too difficult."

Q78 Jim Dowd: Given the scale of the undertaking, as you have described it, given the novelty of a lot of the approaches, how much of your system's software is dot zero releases in the operating systems that are out there?

Mr Granger: None of the operating systems, because they are either industry standard proprietary systems or LINUX. In terms of the application software, almost all of the applications that are being delivered are systems that have been deployed extensively previously or are incremental upgrades of things which were deployed previously. In terms of the core Spine infrastructure, there was some mythology in the Health Informatics Community that the standards existed, HL7 was mature, and so forth. That was completely untrue. We have had to put an awful lot of effort into specifying the standards for messages, around demographics, around booking, around prescriptions, and then the software that BT have built with a number of sub-contractors is brand new software that has been custom-built for the NHS; so that is high-risk, new build software. There was no other way of doing it. I am very pleased a number of other jurisdictions are getting very interested in using that. What I do not want us to end up with in the NHS is a situation we have in a number of other areas of civil administration where we expend a significant amount of money building something which, when it comes up for re-tender, we have a unique supplier and we either have to pay to get other people to come in and bid in order to have a competition for the replacement, or we are held to ransom at the point of replacement. What we need to get to is a sufficiency of open standards, which we are leading a lot of jurisdictions on, so that when we come to re-tender these systems at the end of the contract there is a vibrant market of suppliers in a number of jurisdictions and we do not face that risk on an enduring basis because we are sharing software that is used in other places. I think, in particular, the Welsh Assembly will have some very interesting choices when we turn off the systems on which they are dependent, starting next year, as to whether they use the English solution or they go and build from scratch something that does the same thing.

Chairman: Could I thank the three of you very much indeed for coming along. I am sorry about the overrun in this session. I thought it was likely to happen in view of the inquiry. Thank you very much, again for coming along, and I hopefully it will not be too long before we have our report out in relation to the Electronic Patient Record.


Witnesses: Dr Martyn Thomas, visiting Professor of Software Engineering, University of Oxford, Mr Andrew Hawker, NHS Patient, and Dr Paul Cundy, Chair, General Practitioners' Joint IT Committee, gave evidence.

Q79 Chairman: Could I welcome you very much indeed and, first of all, apologise for the lateness of the hour in terms of this evidence session. I do not have to tell you why, as I understand all three of you have been sat in the room for the last couple of hours. Could I welcome you to our now second evidence session of the Health Committee's inquiry into the Electronic Patient Record and, for the record, I wonder if I could ask you to introduce yourselves and the positions that you hold. Could I start with you, Andrew Hawker?

Mr Hawker: Certainly. My name is Andrew Hawker. I am now retired. Since Mr Granger seems to take a slightly paranoid edge about some of the things he says, could I stress that for much of my career I worked in selling and installing systems and taking flack in much the same way as he does, although for much smaller types of system, and latterly I worked in a university.

Dr Cundy: I am Paul Cundy. I am a GP. I am the Chairman of the Joint IT Committee for the BMA which represents GPs in the UK and IT issues. In the same paranoid sense, I should also declare that I am the owner and manager of a niche software company that sells to PCTs and other GP system suppliers and practices?

Dr Thomas: I am Martyn Thomas, and I am here on behalf of the UK Computing Research Committee, which is an expert panel of the British Computer Society of the Institution of Engineering and Technology and of the Council of Professors and Heads of Computing in UK Universities.

Q80 Chairman: Once again, welcome. Could I start with a question about the strategic direction of the national programme. You have heard the answer to this question, but I would like to put it to the three of you. The Government is now clearly planning to introduce a central Summary Care Record and a local Detailed Care Record in relation to the programme. Why are two systems necessary? I do not know who would like to start.

Dr Cundy: I am quite happy to have a bash. I recognise your Committee is recognising the volte-face of the programme, because certainly it was true in 2003, when it was first announced as a national programme, it was going to be a single record accessible to anyone anywhere when necessary under the famous three pillars. We now have a very different description, as has been described by Mr Granger, and that is a description which we welcome, but certainly general practice believes that what we should be doing is connecting together the electronic islands that are out there already. So, we believe in a concept of interoperability, and that, therefore, defines each organisation having its own detailed organisational record which has a high degree of relevance to the users in that organisation which exchanges snippets of information (summaries, if you like) through standard-based messaging with other systems where necessary and when necessary. The concept of the Summary Care Record is a concept that some people believe will improve patient safety, and that began as a concept of having a brief extract of terribly important relevant details available wherever you are externally to the local detailed record. The concerns that we have about that is that the Summary Care Record is turning out to be far from a summary care record. We are aware that there are already, even before the evaluation of the pilots is completed, suggestions that the Summary Care Record should also collect data from Choose and Book (i.e. referrals data) and also possibly the electronic prescriptions service. So it is already looking like far more than just a summary record. If that is the case, that raises enormous concerns about consent arrangements, because people are being consented against a summary. It also raises concerns about how you manage a multi-contributor, a multi-organisational record, which is something which has not been tested before. I believe that there should be local detailed records at the level of organisation and whether you want a summary care record or not is possibly a worthwhile experiment.

Dr Thomas: As computing experts, we simply do not want to comment on the clinical need because it is not our expertise. What concerns us is the fact that a very large programme is underway when the specification is not yet clear and keeps changing. At best, that is a grossly inefficient way of developing large IT systems and, indeed, of bringing about large-scale organisational change and, at worst, it is a way that cannot succeed, but time will tell.

Q81 Chairman: On that issue of the specification changing, you suggest Dr Cundy, that you are unhappy with the model of X number of years ago which was going to be a national Spine with 60 million patient records on it accessible from Lands End, not quite to John O'Groats because it stops at the Scottish border, but, anyway, Berwick or beyond. It seems, under those circumstances, that has changed. You are suggesting that the summary situation might be a bit difficult for you as well. I used the expression "political compromise"; maybe I will drop the politics out of this. It was a consensus that had to come about because some parts of the profession did not like the idea of patient records being, presumably, beyond the immediate institution that they live in. Is that a crude and wrong analysis of the situation?

Dr Cundy: It is a perfectly fair observation. Whether it is true, I think I would dispute. I think one of the points to make is that general practitioners have enormous experience of dealing with complex electronic records. Despite the description that Mr Granger gave of general practice systems at the moment, they are world-beating systems. I have a system that I can go from the documents, the letters on my patients, through the pathology results in a couple of mouse clicks to a graph of all their blood pressure observations since inception. We have now recently developed technology, through a project which was begun before the national programme, to exchange GP records wholesale from one practice to another. Six hundred practices in the country have that, and it is almost getting on for 10%, and that exchange can occur in a matter of minutes. If you can exchange information, share information in that fashion, that therefore must question your concept of sharing information under the programme, which is to put it all into one single bucket which may represent mirrors of information held elsewhere and control access to that bucket. We believe that is something which has been untested but we suspect it is something which is probably unmanageable and potentially unsafe because, if we pick up on a point which was made earlier, different doctors need different information. As Gillian Braunold said, I do not want to know every single potassium result from a patient of mine while they spend ten days in the cardiac dependency unit of the local hospital. What I want to know is that they went in, when they went in, what the diagnosis was, when they came out and what drugs they were on, and that can be sent to me in a completely different way to my having to go into a single large data repository.

Q82 Chairman: It strikes me - this is a general point about the programme - that it is ambitious to say the least, but if you go back hundreds of years in medical history, some of the things that doctors were doing at the time which made major breakthroughs people were sceptical about. People turned round and were questioning what even their peer groups were doing in terms of whether that was the right thing to do, and yet at the beginning of the twenty-first century, certainly in this country, life-expectancy and everything else (until in quite recent years we have children and obesity) has been pretty incredible in terms of the extension of it, and the quality of our life as well has greatly improved because of people doing things for the first time. Quite frankly, if people were questioning it on the basis, "We do not think it will work", or, "It might not be manageable", we may not have made the progress through the centuries that we have done in society in general and throughout the world. Do you not think that this sort of questioning of potentially every little minutiae is something that is non-progressive, for want of a better expression?

Dr Cundy: I am not a Luddite. Most GPs are not Luddites. We are actually pushing for things. Even now that the programme is not delivering the programme we would like to deliver, we have been pushing. That is why our systems are so well developed. I think sometimes the problem is that the agenda we are pushing for is a different one, and that may be because of the position we inhabit in the NHS, which is that we are the guardian of the life-long record. I totally agree that you have to try things, but do you want to conduct your experiment on 56 million patient records or do you want to try some pilots first; and the initial proposal was an experiment on 56 million records, and that was a view that we did not share.

Q83 Chairman: I will move on. I want to ask specifically Andrew Hawker. You argue that all clinical information should be held locally with only a unique patient identifier on the central system. What would be the advantage of this approach?

Mr Hawker: I would echo the earlier comment: you then have absolutely no doubt to whom that information belongs, who is actually managing it, accountable for it, and so on. It seems to me that we are drifting almost into a situation where you have a hybrid system, you have local and national records; it is not clear to me who actually is finally responsible for one or the other. Also, at the same time, and I hope we will come back to this, we are being invited to give, in effect, two kinds of consent. There is one sort of consent if it goes on something called a care record, but there will be some other kind of consent process for the local record - that is as it comes across to me - and both of these do not seem to be a very well thought out philosophy.

Q84 Chairman: Dr Thomas, you wanted to say something?

Dr Thomas: Yes. It seems to me that there are two issues that are being run together here. The overall objectives of the system seem to be trying to tackle two problems in parallel and those two issues are perhaps in conflict. On the one hand, there is the question of putting in good IT to support the clinicians supporting the patients, and I think everybody in the NHS is entirely behind that. Where IT can improve healthcare, it is sensible to deploy it once you are in a position to be able to be able to roll it out without disturbing things too much. There is also the issue of transforming the way that the Health Service operates and the way that the Health Service is managed and the need for information to be available in order to be able to change the management structures. I suspect that there are a lot of stakeholders throughout the Health Service who are resistant to the notion of change of management. That would be absolutely normal in any large organisation. Bringing those two things together and trying to use the IT programme as a facilitator for bringing about managerial and organisational changes that have not already been agreed is, in my experience, never successful.

Q85 Chairman: I am very tempted to refer you back to the report we did on workforce planning, but I do not think we will go there. We are trying to get some sleep without the thought of it at the moment! Is it not really saying the Summary Care Record we are getting is basically because the Government has admitted it can produce what it wanted to do in terms of a national electronic record and, in a sense, they have failed to do that and so this is the compromise that I talked about earlier?

Dr Thomas: I was listening very carefully to the answers you got when you were asking your earlier witnesses about that and it seemed to me that they contained a lot of contradictions and lack of clarity about what they really were trying to do. The notion that you could introduce a Summary Care Record and then use it as the Local Care Record, because it had the flexibility to enable local care groups to upload whatever information they wanted to and could agree to actually share amongst themselves, looks to me like a specification creep that is highly likely to undermine the security policies that are being put in place: because now you are starting to handle data, where at the time you designed the security policies you did not necessarily know that that data was going to be available in that record. So, whilst I sympathise greatly with the motivations of Mr Granger and his team and their enthusiasm for using modern technology (and I sympathise very strongly with the difficulties they have got in actually working out exactly what they can do and on what timescales and what is practical), to do it in the context of a national programme with declared goals and declared roll-out targets and declared implementations in hospitals across the country and then actually to run a programme which is exploratory in nature is just a backward way of running a very large project, it seems to me. I imagine Mr Granger has got trapped into it by the politics of it. I am not accusing him of incompetence at all, I am saying that, having seen what is happening, we need to back off and say; "let us plan this, so that we can maximise the progress we can make and minimise the financial and timescale risks and contingent damage that we might do to the Health Service in the process".

Q86 Chairman: How do you get large projects if you do not do it like this?

Dr Thomas: Every large successful project is grown out of a successful small project.

Q87 Dr Naysmith: Can I ask Dr Thomas a very quick question. I have seen quite a few computer projects over the last ten, 15 years in local authorities, in universities and in government, and almost every one suffers from this "specification creep" that you are talking about. As people get to know about a project they want to bolt new things in. It happens, in my experience, in every computer project, whether it is large or small, and the clever thing to do is to manage it and stop it at the right point. Is that nonsense or is there some truth in what I have just said?

Dr Thomas: There are two sources of specification change. One is genuine specification change where people discover new requirements or, while a project is actually being developed, the world changes around them and they have to change it; and the other is specification changes that occur simply because you did not investigate the specification well enough at the beginning and, therefore, you discover holes in your own understanding of what the situation always was and always would have been.

Q88 Dr Naysmith: What I am putting to you is that nearly always happens?

Dr Thomas: It nearly always happens because the current style for developing a computing project is simply broken. If you are building a large building, which can very often be an organisational change process as well, what you do is bring in an architect and the architect works with you to really understand your requirements. They formalise those requirements, they come up with high level design and, in the process, they uncover all sorts of conflicts, contradictions, things that you had not heard of. They can bring to bear their own experience in those sorts of buildings, help you to really understand your requirements; then they move round to your side of the table and actually put out a contract to procure the building that has been designed. We do not do that at the moment in IT systems. We put out a contract to procure on the basis of the ill-founded, contradictory specifications with holes in and then, astonishingly, it goes wrong. Of course it goes wrong.

Q89 Dr Naysmith: So your criticism is not just of this project, it is of nearly all?

Dr Thomas: It is of nearly all projects, but this is a project where perhaps we have got a chance of saying: "Hold your horses. We can get to where you want to get to faster, cheaper and at lower risk if we simply reassess what you are doing and can get rid of some of the baggage of having to live up to promises made by people in the past."

Q90 Sandra Gidley: A question for Dr Thomas. Your submission argued that the electronic records system should be introduced as a series of small systems that can be built up into a national system rather than what is happening. The Government seems to be doing the complete opposite of what you are advocating in your submission.

Dr Thomas: Yes. Really what I am saying is what I said earlier: that successful large systems grow out of successful smaller systems. I do not want to really propose technical solutions because I do not believe that the specification, the requirements, are really very well understood yet. So, my instinct would be to do lots of prototyping and work with the clinicians in the frontline to really find out what works for them, what they are happy with, what works with their patients, and then to stand back and decide what you want to do on a national basis, talking to a group of people who now understand the power of the technology better because they have worked with the prototypes, and where you have managed to evolve specifications that have come out of the real experience of the clinicians who will need to use them.

Q91 Sandra Gidley: I may have misunderstood. I got the impression that you were talking about different systems joining together potentially, which would surely have problems if they did not interact with each other?

Dr Thomas: It is generally a better architecture for a large system to have a lot of individual components which can then fail independently, because fail they will, without actually causing widespread disruption. So, if you can build large systems out of small systems which intercommunicate in a standard way, that gives you a much more resilient architecture. One of our concerns is that there does not appear to be an overall dependability case for the national programme.

Q92 Sandra Gidley: A dependability case?

Dr Thomas: There does not appear to be a structured argument that says: here are the quantified goals for the availability of the system, for the reliability of the overall system, for the accuracy of the data, for the number of security breaches that are tolerable - those sorts of issues - and here is a structured argument based on sound evidence that the systems we are building will actually deliver those quantified, dependability objectives. A group of us asked Mr Granger whether such a case was being prepared, and he said he did not have the information to do that because it was actually proprietary to his suppliers. Therefore his team, by implication, was not in a position to assess the dependability of what they were buying. I was taken aback.

Q93 Sandra Gidley: There are no examples in the past of the sort of approach you are advocating failing?

Dr Thomas: It would be an appalling thing to do, to claim there are no examples of any kind of system architecture failing. I think the computing profession has managed to fail in almost every conceivable way so far, and no doubt will continue to do so, but that is true of all new engineering disciplines. You learn from your failures.

Q94 Chairman: Can I ask you a quick question, Dr Thomas. You wanted everything at the beginning of the journey, as it were, which is the ideal world for anybody who is involved in engineering - and I am a lapsed engineer given that I have been in politics for a long time now - but what was described this morning and what I picked up now and again were issues that are add-ons to this system like electronic imaging transfer. There are some clinicians who feel it is just a wonderful thing to happen. With the model set out and writ down large at the outset, something like that would presumably have been blocked, "Sorry, we cannot do it because it is not what we have set out to do", which is very reassuring from an engineering point of view that this is the project that you are going to deliver over time, et cetera. So, from an engineer's point of view, would it limit the ability to be able to do things like add-ons that we have heard about this morning?

Dr Thomas: Clearly you are not a lapsed engineer: once an engineer you are always an engineer; the engineering understanding will never leave you.

Jim Dowd: It is just that he was not a very good one.

Q95 Chairman: Which is how I ended up here, but that is by the by.

Dr Thomas: I am not suggesting for a moment that you should have come up with a specification for all the things that you wanted to do that was completely locked down and that you were not prepared to change.

Q96 Chairman: I just wonder, if it was an add-on in the view that it was not thought about when people sat round in a room and developed this, a system that was rigid would block it off.

Dr Thomas: No, I think the programme could quite reasonably have said: "There are a lot of point solutions in healthcare. We are introducing specific systems to support specific activities that are actually independent and do not need to be highly connected into other parts of the system or the overall architecture. It would be a very powerful thing to do, so let us have a budget for doing that because they will come up." One of my concerns about the way that the programme is going is that it is in danger of locking itself out of the advances that will be made in the availability of healthcare systems around the world. In setting out to be a leader and to develop standards which it hopes will be adopted elsewhere, there is a danger of investing a very large amount in architecture, in software, and so on, which rapidly becomes obsolete in that other people have come up with better solutions and you cannot easily swap them in because you have built something that is too highly integrated.

Dr Cundy: I think that one of the significant failings of the programme was that they did not consult with the user-base whilst they were developing their specification. A good example of that is that, whilst Mr Granger in his first year was dealing with the LSP contracts, we were negotiating our new GP contract, and we signed that off in April 2003. The contracts for the LSPs were signed off in November 2003 and it was not until after that that someone said to him, "Did you not know that there are things in our contract that you have got to deliver", such as the add-ons that he was talking about, QMAS, GP to GP, and he did not know about those; and the LSPs were going round giving presentations to GPs saying, "This is a system we are going to give you, something fantastic. It will give you pathology results", and the GPs were saying, "We have had that for five years." PACS is another good example. Many of the PACS systems being installed now are the PACS systems that were on order books in 2001 to 2004 that were put on hold because a new programme came along. They are essentially the same systems. They will be the eighth version, but they are basically the same product but under a different procurement mechanism. What happened was the programme came along, said, "We are going to do this", and trusts said, "We actually need a PACS system", so that was then brought in. The failure was not adequately understanding the market that Mr Granger was procuring for. He went out and procured, under his experience of procuring, where he has procured before, but he did not put enough time into consulting with the users what it was they needed to deliver the programme. If that had been done, we would have had a much more incremental "building on what we have already got" approach, which I think would have been more successful.

Q97 Mr Amess: Listening to you three gentleman, I think it is a great shame that the three previous witnesses cleared off as soon as you started. I would like to have seen the six of you together, a bit of creative tension, and got the inquiry off to a bit of a bang. All they are going to have to do is read about what you have said, but it cannot be helped. Where is your practice, Dr Cundy?

Dr Cundy: I am in Wimbledon Village, a very informed and affluent population.

Mr Amess: It sure is.

Q98 Jim Dowd: Hardly part of the inner city, is it?

Dr Cundy: No.

Q99 Mr Amess: Dr Cundy, is it a good thing that general practitioners will be offered a choice of suppliers for their electronic record system and does the decision to offer choice represent a change of direction by Connecting for Health and will it mean a less centralising approach to these issues?

Dr Cundy: It is not a good thing because it is illustrating the precise point I was making earlier. Our new contracts specify that GPs would have a choice of system from a list of accredited systems. That was negotiated between 2002, signed off in 2003. In 2003 Mr Granger signed contracts with the LSPs but did not have GP choice in them. It has taken us three years to get to the stage where we are now, where we are about to let the contracts with the GP suppliers that will give us what should have been delivered in our new contract of 2003. From that point of view it is a very good thing, because it is what the Government is delivering on what it committed to three years ago, but from the point of view is it a good thing as a result of the programme? No, it is not, it has been held back three years by the programme. If they had properly consulted the market place, we would not be three years late with it. Is it a good thing that we have lots of different systems to choose from? Yes, and we have been through this iteration before. I have been in IT now for far too many years, Chairman of the IT Committee for 11 years and I have seen this thing cycled. Prior to the programme we had a thing called RFA (Requirements for Accreditation), which was an attempt to get systems to work together to common standards. That largely failed because the procurement side of it was not aggressive enough, did not have enough teeth. That resulted in a market place where there were about 31 different systems that you could purchase from. Mr Granger's intention was to throw all those away and have, effectively, two or three systems for everyone. That has rolled back and we now have a situation where yesterday we were evaluating applications from nine different systems, which is probably a healthy and vibrant market. It means we will have suppliers who will have to be competing in a properly funded market, on a level playing field, simply on the basis of user functionality, and that is, in my opinion, an ideal position to get to, but it is a position which we negotiated in our new contract, it was not delivered to us by the programme.

Q100 Mr Amess: It does not reflect very well at all on the gentlemen responsible for this and it is a very poor example of joined up government. Is there a financial cost in all this in terms of the delay and the less than satisfactory approach?

Dr Cundy: My only comment is that we offered to meet Mr Granger very early on after he was appointed in early 2003 so that we could explain to him that we had---. This is addressing another point he made earlier. General practice views on what GPs want for IT are actually very clear-cut. There is one committee, it has representatives from the Royal College, GPC, which is effectively the union, and people who use systems. We have a very clear established structure for defining what we want, which is how we were able to very clearly place it in our new contract. If he had come to us and said, "What is it you want?", we would have given him a very clear picture and it may be that the LSP situation would have been different, but it may also be that he was told, under political direction, not to deliver it. I do not know. One can become very paranoid.

Q101 Mr Amess: Very interesting. How I wish he were here now to respond to those points. Finally, Dr Cundy and Dr Thomas, if general practitioners are to have a choice of supplier, should not hospitals and other care providers also have a choice? I am sorry you are being left out of this, Mr Hawker, but you have got more fish to fry later.

Dr Cundy: Yes.

Dr Thomas: Yes, I would think that is almost certainly the best solution.

Q102 Chairman: It leads me into a question in relation to that. I looked at news of IT in my local health economy in the mid nineties. I went to my local hospital, which is now a star via Gerry Robinson on BBC television, Rotherham Hospital, and they have just installed a wonderful PAS system. I actually watched a nurse fill in electronically the discharge, and got the keyboard out, for a patient who was going to be discharged from that ward on that day, and I said, "That is wonderful." I said, "How long will it be before it gets to her GP", and I was told that actually the discharge letters are printed off at night, on the night shift, when the hospital is quiet and hopefully patients are sleeping, and sent out to their general practitioner by mail. I said, "What if someone wanted some immediate help in the community, like a nurse to call round the day they get back at home"? "We phone the local GP up and tell them, or tell the local district nurses that this individual might need that type of help." That was choice inside the National Health Service in the mid 1990s, but my hospital system did not have the ability to talk electronically, to send the discharge papers through to the local GP surgery that was involved in the care of that patient once she had left Rotherham Hospital premises. People have a responsibility and ministers and others have a responsibility both to patients in those circumstances and to taxpayers, but choice is coherent, in as much as we are able to have systems and IT in the National Health Service that does have the ability to do pretty fundamental things like talk to one another and assist patient care. Would you dispute that?

Dr Cundy: No, I would not. I became Chairman of my committee in 1995. In July 1995 I coined the phrase at the British Computing Society Primary Healthcare Group "the electronic islands of the NHS" and the concept of interoperability is precisely what you are talking about. You want the electronic island of hospital to be able to communicate a meaningful message about a patient to the electronic island that is relevant (i.e. the general practice), but it could be the chiropody service or the speech therapist, and that is precisely what interoperability is about and I believe that is precisely what you are seeing the programme now moving towards.

Q103 Chairman: "Moving towards" - after ten years?

Dr Cundy: That is the message that I heard from Mr Granger's submission, but interoperability is a word that we were bandying around in 1995.

Q104 Chairman: It seemed to me from, both a patient care point of view and a taxpayers point of view, that both of these institutions in terms of the hospital, the acute and the primary sector at local level were funded out of general taxation no matter how it was procured, but there was no link up between procurement and it is complete nonsense, as far as I was concerned, from the use of public money. From the point of view of the GP surgery, I have no doubt that managing patient records electronically, et cetera, as opposed to Lloyd George's records, was a lot better - I accept that entirely - but the ability for patient care seemed to be lacking in that respect if we were relying on phone calls and somebody being there to receive the phone call because Mrs B was being discharged that day. I actually thought that that is what the national programme was about, to make sure we did not have that. In a sense it was choice, but it was sensible choice on systems that were compatible, or interoperable, as we now call it?

Dr Cundy: You will be interested to know that in the late 1990s there was a pilot in Kettering where they did precisely do that, they created an electronic discharge for somebody that was communicated electronically within seconds to a local GP surgery.

Q105 Chairman: Why do you think the delivery of the new electronic record system is so far behind schedule?

Mr Hawker: I wish I knew. I was hoping to find out this morning, and I am not really very much clearer, Chairman.

Jim Dowd: We ask the questions. We do not give the answers.

Q106 Chairman: None of us came into politics to answer questions. Dr Thomas.

Dr Thomas: At the time when the schedule was established, they did not know what it was that they were trying to deliver. They had a view as to what it was, but it was not a clear view and it has changed subsequently. It is clear, just from listening this morning, that the specification is still evolving. Under those circumstances, any schedule that you put together, any plan for delivery, is built on sand because you do not know how long it is going to take you to do something if you do not know what it is you are going to do yet.

Q107 Chairman: But it must be the case with a lot of IT programmes, small or large, that things evolve as things go on. Back in the eighties I sat down and talked to software engineers, and I was asking them, "Could you do X and Y?" and we used to add things on on quite a regular basis because it was not set. In actual fact, do you think, as somebody involved in this, that even parameters agreed now, there will not be the same parameters in five years' time, they will have moved on, because it is not a set thing, it is an evolving thing, is it not?

Dr Thomas: Yes, but you need to look at the context. If you are building a single system for a single group of users and it does not need to be highly dependable, then you can use what the industry these days calls 'agile methods'. You can actually work with the users evolving the requirement, building things, delivering functionality, and every week you give them additional functionality. If they do not like it you come in and change it. You can work with people to deliver that, but that would involve having teams of people working with each delivery site developing systems that were unique to them. That is not what the national programme set out to do and, in an organisation the scale of the Health Service, frankly, I do not think it would have been practical to work in that sort of way. Also, you have real problems with the properties of systems that are system level properties. Things like security are only partly dependent on the security of the components, they are really properties that emerge from the integration of components into an overall system, and, therefore, you really do need to plan those carefully from the beginning and to understand what it is you are trying to achieve in those areas from the beginning. The approach that you are describing works wonderfully if you are building an individual website for a commercial customer. It would not have worked in this context.

Q108 Chairman: No, we would not have had the interoperability that we have with this system.

Dr Thomas: No, you do need some central planning for the standards, for interoperability, of course.

Chairman: I think we are going to move on a little now to patient consent and ask Richard to come in.

Q109 Dr Taylor: I hope you will allow me to make two comments before I move on to patient consent. I am echoing David. It is so good to have you three after the bland platitudes we had from the first lot - absolutely refreshing. We were told user involvement was there from the beginning, and you said obviously it was not. Delays have been caused. All the communications were in place in the early 1990s in some hospitals, so it is very refreshing. I wonder if Dr Thomas would agree with one of the experts who has written to us: "To an experienced computer person this system bears all the hallmarks of massive failure. It is simply too big to design, plan, estimate, manage, implement, verify, install and keep alive"?

Dr Thomas: Yes, I would agree with that, the way that it is going. I do not think it is impossible to deliver high quality IT systems to support the Health Service, but I do think it is important to be clear what you are trying to do and, in particular, if part of your objective is to transform the way the clinicians work, then you better design new ways of working and get them agreed before you try to build the systems to support those ways of working.

Q110 Dr Taylor: Thank you very much. I will move on now to consent. Mr Hawker, you have been particularly worried about this. Do you think patients are being given enough information to make sensible decisions about whether their data should be placed on the record or not?

Mr Hawker: If I could move to the Care Record Guarantee, which earlier, I think, we were given to understand is the measure of reassurance that we are meant to have before signing up for the Spine, there seem to me one or two things that I would challenge within the guarantee. My first problem with that is that I do not actually believe some of the things it says. Secondly, a guarantee, so-called, would normally be forever. You do not buy a washing machine with a guarantee and then a year later receive a new version that says, "We have decided after all we do not really feel like doing this particular kind of repair", or whatever, whereas there have been changes over the past five years. In 2003 we were all being told that you have a right to object to information being passed on, even if it is to someone who might provide essential health care - that is 2003 - and then the first version of the guarantee said, "You can choose not to have information in your electronic care records shared", but the version we now have has this interesting word, "Usually you can choose to limit how we share the information in your care records." I am sitting at the bottom of the pile reading these things and feeling a little uneasy, because I am being given this document that we are assured everybody reads avidly. I find that very hard to believe, because I have read it many times and it is absolutely covered with question marks and things that I do not quite understand are going on.

Q111 Dr Taylor: Could we know what the document is?

Mr Hawker: Yes, it is the Care Record Guarantee.

Q112 Dr Taylor: Is that sent to everybody?

Mr Hawker: I believe so. I would stress this is called a "guarantee" of how your records will be handled, and it may be premature to raise some of the things, but it does, for example, say that security will be operated in line with internationally approved information security standards. I have various reasons for not believing that, for one thing.

Dr Thomas: It is effectively a meaningless claim. It is not of any technical significance to say that.

Q113 Chairman: No, but you heard the witnesses saying earlier that anything that is done with this patient record will be covered by, if you like, the law and the regulations of this country and international as well. Is that not saying the same thing?

Dr Thomas: Yes, and strongly implying that that meant no change to the position that the patients are in, but once the records are electronically accessible the demand for secondary use goes up and the ease of secondary use goes up, and so a lot of patients whose privacy was never really under threat with paper records, because it would simply have been too hard to go and trawl through large numbers of those records, are now potentially at risk without having changed the legal framework.

Q114 Chairman: That could be said of an electronic doctors practice that has got 10,000 patient records. It would be very difficult for you to go scooping through all of Lloyd George's records to find these individuals but you could go straight into---

Dr Thomas: Absolutely. I do not have the data, but it may be that the police are now routinely asking doctors to give them searches on that data, or it may be that it is legally privileged.

Chairman: I am sorry, Richard. It is not normally something the Chairman does. Please carry on.

Q115 Dr Taylor: Mr Hawker, you mentioned a Department of Health standard letter and the words "concerned" and "distressed". Is there a separate letter, or is that still this blue document?

Mr Hawker: I was sent a document which was headed, rather ominously, "If I do not have a Summary Care Record", in block capitals, and then proceeded to tell me how dangerous that would be for me. I do not want to read the whole thing, but that was the tone of it. It contains a rather interesting sentence which says, "Information in your Summary Care Record could save you and the NHS time, but it could also one day save your life." So this is not just making minor politics, I do not think. It carries on, "The NHS has significant problems with lost records and test results, treatment and prescribing errors and they lead to thousands of preventable deaths and injuries." This is quite ominous stuff, but, frankly, I cannot see the connection. If we create an SCR are we being told that this will eliminate all these lost records and test results? Some of them are the very things that feed into the SCR, i.e. errors in prescribing. Are these all going to be reduced or eliminated simply because we have an SCR. I feel the whole tenor of this is over the top.

Q116 Dr Taylor: You heard the previous witnesses saying 0.001% of people were going to opt out. I forget the figure; it was a not as low as that. Do you think they were accurate with that?

Mr Hawker: I do not know. I can only speak for myself. I am clearly one of the .2%, which on a quick calculation I make to be 100,000 people, which is a whole constituency full, so I do not feel that is a trivial number; but I think here, if you set aside all the political arguments and commercial argument, we have to come back to whether or not an individual patient has the right to say, "I do not want information handled in a particular way", and I was very disturbed to hear the sort of argument that says 98% of people are going to come round, therefore these other troublesome people should be swept aside. That is really taking the IT and making the policy fit round it, and it really ought to be entirely the other way round.

Q117 Dr Taylor: You are absolutely right. Dr Cundy, will GPs agree to upload their systems onto the big system without specific consent from patients?

Dr Cundy: I do not know. The initial indicators from most recent studies are that GPs remain extremely concerned about it. A question was asked, I think by Mr Jackson, about GPs' potential liability if they upload information without knowing whether the patient wants to or not. I believe that contradicts my professional responsibility to protect patients' data. One of the leading medical defence indemnity organisations, the organisations that insure GPs against claims of negligence, has just issued guidance saying that if the GP is not absolutely certain that the patient fully understands and has been fully informed, then he will be liable. I find one of the difficulties about the scope of that, one of the difficulties in this consent debate: it is certainly true that the level of people wanting to opt out of the Summary Care Record, as it is currently described to them, is very, very low. I think that there may be an element of apathy about that, but I certainly know that in my practice patients are more and more wary about what is happening. In fact I actually now have patients who look at the screen, and I say to them, "You are not happy about what we are recording", because they believe that is connected to the Government's computer system. I think that if the Summary Care Record just says you might be allergic to penicillin and you once had a sleeping tablet for a night flight, that maybe is fine, but if it starts becoming a detailed, almost mirror copy of not just a GPs record, because they are proposing to link it to other things (so it has got copies of everything from everywhere), it then becomes a very comprehensive record in relation to which I think patients' view on their consent may change.

Q118 Dr Taylor: Is it realistic to get that degree of consent from patients? Presumably it was the MDU or the MPS that said this?

Dr Cundy: It was the MDU, yes. The debate about whether you should opt in or opt out, ultimately, if you read through everything they have ever produced, comes out to one argument, and that is work-load and rate of uptake. Their own advisory panel said the only argument against it is the rate of uptake. If you have a summary care record, I would like to know in what way is my safety enhanced by your record being there or not being there because I am the patient? So, if I am the only patient on the Summary Care Record and I trip over Mr Granger's carpet in Bradford and my life is saved because I have a Summary Care Record, my life is not threatened by the fact that yours is not there. Therefore, there is no communal safety element; it is simply for the individual to decide. Therefore, why do you have to have an overnight, one-day bulk upload of everything? Most patients will see their GP within three years - statistically 90% of patients will see their GP within three years. Therefore, why cannot you say we will have a slightly slower upload, we will take it on a patient by patient basis? When the patient next comes to see their GP you can discuss whether you want something going on, you can do it slowly over time, and in taking that approach, which is a default opt-in approach, you slowly build the system and that allows time for trust in the system to be developed. One of the problems I have with this system is that it is being imposed on us. In every other element of the NHS we have choice. We can see who we want, when we want, where we want and have what we want done to us except for your record, and that makes me slightly paranoid. Why do they want to do that? So, I would advocate having a default opt-in so everyone is not uploading. As people see their GPs they can then decide to opt in. That spreads out the workload argument as well.

Dr Taylor: The point about choice is a very good one.

Q119 Jim Dowd: Does it exist now with written records?

Dr Cundy: It exists in the sense that---

Q120 Jim Dowd: It is the property of the clinicians and they decide what happens to it. That is what happens now.

Dr Cundy: At the moment with a paper record, you only have one choice of where you put it. In fact my contract says, if I write it, I must write it on a piece of paper sent to me by the Secretary of State, on the MRE, but, yes, you are absolutely right, at the moment if the clinician wants to write a record he can actually write it wherever he likes.

Q121 Jim Dowd: And share it with whoever he chooses?

Dr Cundy: He can, indeed.

Q122 Dr Taylor: But, in theory, the patient has access to all the written notes that are kept now? In theory.

Dr Cundy: No, they have a legal right of access.

Q123 Jim Dowd: So is the fact that it will be so much easier for them if they have got access to their own electronic records going to improve the quality of care, make it more difficult, affect security?

Dr Cundy: I do not know, I have no doubt, I think that is why, to a certain extent, this is an experiment. What I know from my system in my practice is that there are times when I, quite frankly, do not have an immediate clue as to what is going on with a patient, and we have 20 years worth of patient electronic records. Electronic records can be just as confusing as any paper record can be and in my practice I run it very rigidly: my partners are not allowed to do certain things. Despite that, we can still sometimes find it very difficult to not know what we are doing with a particular patient. It can take quite a long time to unravel it. If that is my record on my system that we managed, if I am having to navigate information on a system that is run by someone else, contributed to by lots of different other people, I have no idea whether that will be easy or not. I suspect it might be potentially difficult, but the answer is I do not know whether it is going to make life better or not.

Q124 Chairman: Can I ask you, Dr Cundy, do you think that summary records have any potential for research or planning in healthcare or do you think they should not have?

Dr Cundy: I think that records should be used as the law currently stands, which means that, if they are anonymised records, then I cannot see any reason why they should not be used for research, but if they are not anonymised, then I do believe that patients should have consensual rights over them.

Q125 Chairman: Have you had that debate within your field, the people that you are working with within this area, about how you could use summary records for research and planning in healthcare?

Dr Cundy: No, I do not think you can use the Summary Care Record because that is clearly identified.

Q126 Chairman: What record would you use then? You have got 20 years of electronic records in your practice. You must have some idea about the well-being or not of a large section of Wimbledon, would you not, and what has happened over decades in terms of healthcare and interaction with drugs in your patients.

Dr Cundy: Yes.

Q127 Chairman: Would it be good to measure that, do you think?

Dr Cundy: Yes, indeed, and we do that on a routine basis on a variety of parameters, but that is a different arrangement. They are patients of my practice, so it is entirely legitimate for me to do that and there is an assumption about consent. I thought what you were asking about was something like SUS, which is a large aggregation of data from different sources, and that being used for research. The circumstances are clearly laid out in law, which is that it should only be used if it is anonymised or with explicit consent.

Q128 Jim Dowd: Could I ask Dr Thomas to start with. I have seen your very distinguished academic record. Have you ever designed and built any systems yourself?

Dr Thomas: Personally designed and built systems, yes.

Q129 Jim Dowd: What sort?

Dr Thomas: Not medical systems.

Q130 Jim Dowd: No technical systems. What were they?

Dr Thomas: The company Praxis that I founded many years ago did do some medical systems development while I was Chairman.

Q131 Jim Dowd: I am sure they did, yes, but what did you do?

Dr Thomas: I have worked on---

Q132 Jim Dowd: Can you give us some idea of the scope and the scale of the systems you have dealt with?

Dr Thomas: I have worked on large-scale operating systems. We have built things for ICL, for example. I actually programmed part of the UNIX implementation that ICL put in as a subsystem of their large operating system. Mostly, in recent years, I have just been managing systems development rather than doing it myself, but, again, some pretty large-scale stuff I have been involved in. I also have audited some large systems. I audited, for example, the new en route air traffic control system that was put in down at Swanwick that got into some difficulties. Indeed, it is actually the independent review of the Swanwick system that is my worked example of the way that a select committee can bring about a sensible action by calling for an independent review. Gwyneth Dunwoody's committee instituted that and QinetiQ carried out a thorough review of that system, and it was very helpful.

Q133 Jim Dowd: From what you have said and given the evidence we have received, not just today but beyond, there is no consensus in what this system should do: some people have one view about what it should do and some people have another. Does your prescription of attempting to find that consensus before deciding how to progress really match up to the reality?

Dr Thomas: Yes, I think it does, because I think that there is decades of experience which shows that any other solution has a very high risk of failure.

Q134 Jim Dowd: Most things in life do. Does that surprise you?

Dr Thomas: I think there is plenty of evidence that trying to do organisational change by building computer systems fails and there is plenty of evidence that building large-scale computer systems without getting the specification sorted out at the beginning fails and fails with a much higher probability than if you go about it the other way round.

Q135 Jim Dowd: But if you have a system that meets the maximum requirement expected from the user group as well as the minimum, rather than just the optimal, surely you satisfy everybody?

Dr Thomas: In order to be able to do that you would need to know what the requirements were; so you would still need to engage with the user community to find out the requirements. Whether it is then an appropriate thing to do to try to build the most all-encompassing system you can and give it to everybody, or whether it would be better to have a number of different subset systems that people actually chose between, is a debating point. I would go for the smaller systems, because you do not want---

Q136 Jim Dowd: How do you define "better" and "worse" in your use of language?

Dr Thomas: More dependable, more cost-effective, more likely to achieve the overall objectives within a reasonable cost.

Q137 Jim Dowd: So you are an optimalist rather than a maximalist?

Dr Thomas: Yes, I am an engineer and engineering is a business of making engineering trade-offs. To make sure that you achieve the maximum you can from the minimum expenditure with the highest degree of reliability.

Q138 Jim Dowd: That has clearly changed from when I was involved in it, because our objective there was to give the customers what they wanted and ask them to pay for it.

Dr Thomas: It has moved on from that, because the professional societies now require that engineers take things like safety and general professional behaviour into account rather than just selling people snake oil.

Q139 Jim Dowd: BT say that a Central Record System will be almost impossible to breach. You cast significant doubt on that. What reason do you have for that?

Dr Thomas: It is very difficult to build secure systems and keep them secure. There is a real tension between ease of use and security. The more secure you make a system, the harder it is to use because you have to go through more checks in order to be able to use it. If the intention is to make individuals' records available on the Internet, in order that ordinary members of the public can check their own record, any mechanism that is really robust and that would stop people being able to break through and check somebody else's health record would necessarily have to be quite hard to use and, therefore, finding the appropriate trade-off there is certainly difficult and may even be impossible. It may be that if you had targets for how hard it should be to read somebody else's health record on-line, it would turn out that you could not build a system that was easy enough to use to make it worthwhile having a system at all. One of the things that concerns me about the programme is that there is no definition of what is an acceptable level of security breach. You heard Mr Granger this morning saying clearly that no system would be ultimately secure and, therefore, he accepted that there would be security breaches in his systems. But I have asked him directly whether he has targets for what would be an unacceptable level of security breaches, and he says, "No, I have not." That seems to me to be a mistake, because if you do not know how tolerable it is for a security breach to occur, you do not know how much effort you need to put into building systems that are adequately secure to meet your targets because you do not have the target. So what do you do? Do you go for perfection, which is certainly going to be unachievable but, in any case, is going to lead you down the path of spending vastly more money than you need to have spent, or do you take whatever level of security comes out of the way that you are going to be building the systems within the budget, which may lead to a level of security breaches that turn out to be unacceptable in practice and cause you to have to take the systems off-line?

Q140 Jim Dowd: But your conclusion on the inevitability of a breach is not based on any knowledge of the systems and the architecture that BT have employed but really on a reductive process of experience of previous systems?

Dr Thomas: Absolutely. Nobody outside BT, as far as I am aware, has any insight into the detailed architecture and security policies for the systems they are building. It is confidential.

Q141 Jim Dowd: Nobody outside the BBC thinks they are perfect either, so the idea of getting a solution, I think, will be elusive. Dr Cundy, smartcards and role-based access controls providing effective security in GPs surgeries. Do you agree with that and, if not, what systems do you think should be put in?

Dr Cundy: It has been shown already to be a nonsense. We said that when you issued smartcards, unless they were instantaneous in their ability to access the record you need, they are going to be seen as an imposition, as an obstacle. That is not such a problem in general practice, but in places like A&E departments where patients come in and there is a very rapid turnover and delivery of care, we predicted that what would happen is that someone would come on shift (a hospital doctor, a nurse, a hospital administrator), they would slip their smartcard in, and they would need it, and everyone would just access the records. That is precisely what has happened and, what is more, it has happened with the local agreement of the PCT and I think also, I have to say, the local medical committee.

Q142 Jim Dowd: It is not the smartcards themselves at all, it is the people who use them?

Dr Cundy: It is the people working around something which is seen to be an imposition, and it is part of the trade-off between security and usability. In a general practice it is possible to insist that people log out. We do not actually use the smartcards but you log out when you leave the screen, but in some busy departments it will not be possible. In a theatre, for instance, if a surgeon is operating he might want to know some information about the patient, what does he do: de-glove? So you have immediately got a conflict in what is called role-based access.

Q143 Jim Dowd: What happens presently in a theatre when the surgeon runs into a problem and needs further information?

Dr Cundy: He will probably ask a junior doctor to look through the record; but I think the argument you are heading towards is, because it is not done as well as it could be done now, we should not deal with the systems of the future to be better.

Jim Dowd: That is completely the reverse of my position, but I am only asking questions. What is happening with smartcards is learning to work around them, and so what we need is ever better security technologies.

Q144 Chairman: Can I pursue that a little bit. Is it better technologies? Is not the truth of the case in and around IT that most of the major security issues are human driven?

Dr Cundy: Absolutely.

Q145 Chairman: Is that the case, Dr Thomas? Would you agree with that?

Dr Thomas: There are two main causes of security breaches in socio-technical systems, by which I mean big computer systems embedded in organisations. The human factor is an enormous one. If you want to break a system the thing to do is to corrupt an insider or just to trick an insider, but if you have actually got access to the interfaces to the system and you want to make a technical challenge, then it is usually programming errors, not even design errors but stupid low-level programming mistakes, that give you the ability to break in. That is why systems become vulnerable to viruses and worms, for example.

Q146 Chairman: What happened in banking? My personal bank account records have been electronic for years now, as has presumably the Prime Minister's and everybody who works in this establishment and everybody who works in the UK. There are all these things, not about the human side of it all, about the secure side of it. Why has it not failed? It does not appear to have failed, or has it failed?

Dr Thomas: Yes, it has failed. There is a high level of banking fraud. The banks regard it as confidential information and the policy in the banks is not to have a higher level than the other banks. They do not go for a financial level of fraud reduction. What Barclays care about is whether their record is worse or better than HSBC, but also they care about who is liable for it. It is really a liability issue. One of the main reasons for bringing in chip and pin is that it enabled them to offload liability back on the customer.

Q147 Chairman: That was a fraud about somebody in a restaurant not doing with my card what they should have done. This was not about the system, this was about the input into the system. Is there not a difference when you are talking about security of IT systems?

Dr Cundy: Can I comment on that?

Q148 Chairman: I was asking the engineers to start with, and then I will come on to you two.

Dr Thomas: I do not really understand the question. Banking security gets corrupted in all kinds of ways by phishing attacks on-line.

Jim Dowd: No, that is a software problem. It is a problem with the people who respond to it; it is not a system problem. It is the fact you get an email from somebody who you believe to be your bank wanting all your details and passwords, and some people are gullible and stupid enough - they are probably the people who ring up daytime TV game shows and are wasting their money doing that as well - to turn round and say, "Yes, I will send you my security code", or sending credit card details to unsecured sites!

Q149 Chairman: That is the difference to the security of the system then. You are saying that the security cannot be used as well. My comment is, from a technical point of view, is this going to be as secure as a banking system, not that somebody in a restaurant is going to create fraud by disabusing my credit card when I go to pay my bill? That is a different issue.

Dr Thomas: It is very important to consider that the system is both the technology and the people who interact with it directly. The moment you start focusing just on the technology and on the security of the technology, you miss most of the real problems both in building and making secure.

Q150 Chairman: Should we not go back to live in caves then? Would that be a good idea?

Dr Thomas: No, absolutely not.

Q151 Chairman: Where do we not go back to live in the cave and where do we have an IT system sat in my office over the road there? Where is the judgment on that?

Dr Thomas: I am not arguing that you should not build IT systems and embed them in organisations. What I am saying is that, in deciding what the specification for the technology should be, you actually need to start by looking at the specification for the overall social system and deriving the specification for the technology out of the way that people are genuinely going to behave when faced with the technology. I have been on the steering board for the dependability research project that EPSRC (the research council) has been running, and one of the things that they have done, a big project out of Newcastle, is to send their ethnographers to hospitals to sit and observe for days the way that people do actually work with the systems that they have got in hospitals; and what you see all the time is that people do not use the systems the way that the people who develop them expected them to do. The moment it appears to them that the systems are getting in the way of them doing their job, which they see as treating patients and running the hospital effectively, they start working around the systems. The way in which people work around the systems fall into well-defined patterns, and the psychologists and the social scientists have got a very good handle on the kind of work-arounds that people will use when they start to run into problems, like sharing smartcards, for example. So, you can actually design your technical systems in the knowledge of what will happen under overload situations or crises or where people are just having a bad day and are not working very effectively. You have to do that. The airlines did not manage to get the accident levels down without taking account of the kinds of errors that pilots made.

Q152 Chairman: Andrew.

Mr Hawker: Comparisons with banks, I think, have come up a few times this morning and there seem to me just one or two dangers. I think Mr Dowd has got his finger on one pulse, and that is that the banks can do a straightforward financial analysis. They can decide: "We will spend this much on security; that will balance against this much we will lose in fraud." You cannot do that with personal records because once my history has escaped it is there, and if it is actually on the Internet it is there for everyone, and that is quite a sobering thought. We are seeing, for example, teachers being the victims of websites organised by their pupils. What happens then if that medical record finds its way onto a site of that kind? I feel at some points we are not looking at the way that technology is happening outside this little world of NHS IT and the way that can have an impact on people, but that is not a problem the banks have. So, if you are trying to make comparisons, I think another useful one might be to look at the kind of internal audit system you will tend to have in a bank and the rather specialised and skilled people that they would employ to do that; and I can find no evidence that within the NHS we have an equivalent kind of privacy skilled auditor internally who can do the sort of investigation and monitoring which forms a part of this social total structure of security which will make me start to believe some of these things in the Care Record Guarantee. What we do have is a steady drizzle of bureaucracy coming out of the Information Governance Toolkit. Chairman, I have read all that. There are 100 different criteria that you meet. You score yourself on those. You go up from one to three on each one and there is a huge problem with that because some of those one, two, three steps are absolutely crucial, like having an information assistance officer or a Caldicott Guardian, others are pure paper work, but you get the same points for each, you add them all up and it goes into a traffic-light rating. Guess which ones people will go for? The other assumption I worry about is that you have all this intense activity but it is all very superficial and it does not add up to a coherent whole. You can score your 70%, or whatever it is, but it does not really mean that you have got the right sort of focused activity within the trust, or the practice, or wherever, and that is where I think you could learn a good deal of lessons from the banks because they have been doing it for longer and there are certain types of people I can identify working in the banking system who are in some ways a worthy adversary for many of the people who attack systems. They are able to think the way they do, they do these kinds of human studies that Professor Thomas has mentioned, so that they are thinking into the mindset. They are not relying on: "We comply with rule 206 in the information toolkit", they are thinking themselves into the problem, and if there is one good thing about the delays, it is that we do have some time to get that right, and I would urge the Committee to try and press that case. Earlier on Dr Gillian Braunold said we have got ten years to go on information governance. That is the problem. We have only recently started going on the information governance programme and, looking at what is happening on the ground, a lot of it is still very embryonic. That is another reason, incidentally, why I have anxieties about trusting this guarantee, because the plans may be there but it is not really happening.

Q153 Chairman: Dr Cundy, did you want to say something?

Dr Cundy: The issue is that what we are talking about is a widely accessible distributed record, the Summary Care Record being available from these 15,000 outlets - I am using the word outlets for them - and security mechanisms, which may or may not exist, which will be overridden by humans. We know that 90% of security breaches are from people employed within the organisation; so we must assume that there will be people who, either by error or with malign intent, will access records that should not be accessed. How do you limit that risk which you cannot limit because you cannot identify the crooks before? You can do one thing: you can alert the person, you can alert after the event, which is a bit of help, but actually the plans for access alerting the audit trails have been massively watered down. My understanding is that the most recent plans are that there will be no alerts from local accessing. For instance, in general practice, if one of my receptionists looked at one of these summary care records, under previous iterations I would have been sent a message saying, "Did you know that your receptionist looked at this patient's record?" That will not be happening because it is a local detailed record, because it is too difficult to manage, because, as Mr Granger says, there are 500 million transactions a day, and I have difficulty enough dealing with 30 or 40 patients, let alone 100 million transactions. The way you deal with that problem, which you cannot stop, is you limit the exposure of the information that you are putting on the system, and that is the trade-off. The trade-off is how accessible is it from how many places against the risk of making that accessible? It would seem innately sensible to me that in a widely accessible system that you cannot really control you should have as little information as possible, that we have a programme which is rolling out something which we know what is going to be in it. We are actually hearing messages that what is going to be in it is much more than we ever conceived. It might actually mirror local detailed records. I think that is an issue that needs to be opened and aired, because patients should have the right to say, "Yes, I am prepared to put my records at risk, I am prepared to put my records on, in effect, what is a sort of plug and play technology." Anyone can come in, plug in, have a look at a record and off they go. If that is a risk that people want, that is fine, but they can only make that assessment if they have informed consent. I think there are many trade-offs, there are many balances here.

Q154 Chairman: You will be pleased to know my final question is directed to Andrew and Martyn. Both of you have suggested that the new system should be independently reviewed and tested before further implementation. What do you think this would achieve? Do you not think that this would really delay the project even further from the alleged delays that we read about now?

Dr Thomas: No, I really do not think it would delay. There is a common myth that planning slows things down. Richard Granger this morning said it would be really nice to have found out what it was we were supposed to have been doing and plan it properly before we started, but it was too urgent to get the systems in and to get the benefits from that and so we just got on with it. I paraphrase him. Yet the consequence of that is that you have two years slippage, and more to come, no doubt, on the care record. I genuinely believe that they are hampered at the moment by the fact that ministers have made promises, that they have published commitments as to the roll out of a particular system, the number of acute trusts that would get particular systems in particular timescales, and that in order to really deliver the sorts of things that the NHS needs and to get the prioritisation right, somehow you have got to shake those things off, and that means getting away from the spin of how successful things are at the moment where typically what you get quoted are input statistics ("We have connected this number of people; there were this number of transactions") rather than output, benefit statistics that actually tell you to what extent healthcare has improved as a consequence of whatever has been done, somehow we have to get away from that and to have a completely independent view as to how well the specification is understood; what can we do rapidly to make the specification of the systems that are going to be built really fit in with the clinical needs? Can we tease apart the issue of providing technical support for technical clinical functions within hospitals from transformation of the Health Service in managerial terms? Is it possible to separate those issues? If it is not, how can we get the appropriate level of organisational buy-in to the specification of the organisational transformations to make it feasible to build the systems that will not be constantly rejected?

Q155 Chairman: That is the suggestion. It is more to do with human resources than the technical issues of the programme, or am I misreading that? I thought you would ask for a technical review, which is something I quoted to Richard Granger earlier as what you had asked for.

Dr Thomas: Yes.

Q156 Chairman: It is a technical review, including human resource aspects in terms of people in the workplace, as opposed to technology in the workplace?

Dr Thomas: It must start with the requirements and how well-founded those requirements are and whether they are complete, whether they are contradictory.

Q157 Chairman: How would a review achieve that, do you think?

Dr Thomas: In the way that reviews always do, by going in and talking to people, by calling for input, by capturing what the programme says the requirements are at the moment, for example, and analysing them.

Q158 Chairman: Going and talking to people up and down the land?

Dr Thomas: If I was, God forbid, asked to carry out such a review, I would start off by looking at all the detailed planning documents and the internal reviews that have been done. We know that consultants have reviewed aspects of the programme, but those reviews are not published. We know that there have been gateway reviews. Those reviews have not been published. The department has refused to release either of those, even under Freedom of Information Act requests. I would start off by trying to find out what actually the current views of the programme are and getting a clear view as to what are the detailed plans, what are the detailed objectives. Let us do a technical review of those plans. How good are they as technical plans? Let us have a look at the risk register. Let us have a look at the project hazard log. Is anybody building a dependability case? Has anybody done a decent safety case for the systems? What plans have been made for the lifetime costs? Is there a proper business justification that shows that the costs actually are less than the benefits that are due to come out? If the answer to any of those questions is, "No", you will have put your finger on something that needs to be fixed urgently.

Q159 Chairman: Do you think that people who are involved in the national IT programme at the moment are aware and conscious of those facts, whether reviews have been published or not in terms of that? Do you think they are not capable of knowing that as something in their daily business, as it were? The programme is not without its problems. Are these people who are developing it not capable of being able to do that?

Dr Thomas: I have reviewed a lot of large technical programmes over the years, and I want to stress, I am not asking to review this one personally, I am not for a second bidding for that job, but my experience of carrying out those reviews is that people get blinded by the fact that they are too close to the project and they get compromised by the fact that they cannot stand back and admit errors. What typically happens is that people start redefining what the milestones meant, in order to claim success for milestones and to put off the day when they have to admit that things have gone wrong, and they start arguing about what it was they really were setting out to do at the beginning, so they start getting a bit weasely about what the specification really was, and the whole business justification is lost because the costs have changed, the specification has changed and the balance between what you are going to get and what it is going to cost you has gone wrong in two directions. The people on the programme are not motivated to stand back and say that because they have got this vision, "One more heave and we will get there." It takes somebody who does not have a stake in the programme to come in and stand back and say, "The reality is this, and we need to make appropriate changes if we are to achieve sensible things and sensible milestones."

Q160 Chairman: I wonder whether you think it would be an unfair comment, but I think what you have described there in the latter moments is more to do with an inquest than a review. It seems to me that, unless there is anything specific a review would do, most of the issues we have heard about in the last few hours here would be something that would be happening on probably a daily basis, I would have thought. Andrew, you wanted to comment.

Mr Hawker: I did not, in fact, suggest a review, I was trying to be more pragmatic. I did suggest that there should be a test, or some testing that showed that you were actually operating in line with internationally approved information security standards, and, in the end, the simplest way is to have people have a go at getting into it and use other objective measures of whether it is easy or not to get across the security barriers that you have laid down. I think that would be enormously helpful, because you can quote that in your guarantee. You can say, "Look, we have invited these various people to contradict the security and they have failed." If they can do it, then we continue to try to refine it, we learn from that, but simply to draw evermore elaborate models, and so on, I do not think really gets us any further.

Chairman: Could I apologise once again for the lateness of the hour. Could I thank all three of you for coming along. We have had two very interesting, fascinating sessions and I am hopeful than, when our report does come out, it will be a lot more informed because of the two evidence sessions this morning than it has been up to now in terms of what has been floating around in the media. Thank you very much for attending.



[1] Ev