The Court of Public Opinion can be as important as any Court of Law.

“Human rights are about holding the powerful to account“. Lest there be any doubt: Shami Chakrabarti, Director of Liberty, is fiercely critical on the lawfulness of personal patient data derived from GPs without the consent of patients. Shami explained that privacy is a fundamental human right, “without privacy, there can be no dignity, no intimacy, and, in this context, there can be no trust”. Chakrabarti argued that trust is fundamental to the operation of the public good in running a healthcare.

Chakrabarti criticised that there was no parliamentary debate about the General Practice Extraction Service, which would be a problem if this matter went to Strasbourg. She commented:

“This new policy on GP data extraction is what I have real concerns about from a human rights perspective. The domestic courts have not been vigilant. I personally find it difficult, at first blush, how it can  be necessary, proportionate and legality for this extraction mechanism which seems to remove ownership from the patient, and which seems to expose these sensitive records with real exposure to loss. We have seen this umpteen times with big databases. My colleagues are dubious about any legal basis for this even in domestic law. Even if you say you can justify this, you need to have had a proper parliamentary debate about this aspect of policy, not just the Health and Social Care Act in general.”

“Some of this information is to be passed to non-NHS bodies. I am absolutely stunned at this, I think there is a real opportunity to challenge this in the Court of Public Opinion and the European Court of Human Rights under the Human Rights Act and the  European Convention of Human Rights.”

Chakrabarti was the “star turn” in a one-day conference, hosted by @MedConfidential (led by Phil Booth, @EinsteinsAttic) which I enjoyed very much in Dean Street, Soho today.

In England, there exists a general common law duty imposed on health professionals to respect the confidences of their patients. A requirement to maintain confidentiality of patient confidentiality is also maintained in the professional codes of conduct. This limits the conditions for which patient data can be used for research. Confidentiality is not, of course, an absolute principle. There is no breach of confidentiality if the patient consents to their information being shared. The doctrine of consent is therefore a pivotal consideration.

The NHS is not of course new to any controversy about data management. On 29 March 2012, the Medicines and Healthcare Products Regulatory Agency and the Department of Health’s National Institute for Health Research (NIHR) launched the Clinical Practice Research Datalink (CPRD).The Clinical Practice Research Datalink is designed to provide researchers with access to safeguarded data that respects patient confidentiality. This will give valuable insights into serious health conditions and ultimately help reduce the time it takes to develop new treatments. The Clinical Practice Research Datalink website provides the following information (click here):

“The Clinical Practice Research Datalink (CPRD) is the new English NHS observational data and interventional research service, jointly funded by the NHS National Institute for Health Research (NIHR) and the Medicines and Healthcare products Regulatory Agency (MHRA). CPRD services are designed to maximise the way anonymised NHS clinical data can be linked to enable many types of observational research and deliver research outputs that are beneficial to improving and safeguarding public health.” Ian Brown from the Oxford Internet Institute at Oxford University, Lindsey Brown from the School of Social and Community Medicine at the University of Bristol, and Douwe Korff

London Metropolitan University, published an interesting article entitled “Using NHS Patient Data for Research Without Consent” in December 2010, in Law, Innovation and Technology (Vol. 2, No. 2, pp. 219-258) (link here).

Can patients object to their personal data being included? “Up to a point, Lord Copper”, but the paper sets out the following:

“Objectors’ records can accordingly be marked in a tab in the system as ‘Consent refused for GPRD Data Collection’, if patients are ‘adamant that they do not want their records to be included in the scheme’. According to the Guide, this ensures that their medical records will not form part of the draw-down of records for inclusion in the GPRD. The [Guide for GP Practice Managers] Guide repeatedly suggests that patients in participating GP practices have given their ‘consent’ for the extraction of their data to the system, presumably because they are assumed to have seen the poster and did not opt out of the system. That is a highly dubious assertion… Here, we may note that it is also doubtful whether many patients are actually even aware of their GP practices’ participation in the scheme.”

It is widely recognised that medical research does not benefit the individual patient directly the data concerns. It is quite easy to demonstrate that research carried out by other NHS employees, academic researchers or pharmaceutical companies do not fall within patient care. There may be benefits of this research to the patient or his/her family, but it can be easily argued that patients ought to be given a choice as to whether they wish their information to be used for such purposes. Consent should therefore be obtained in such an argument. Even with sharing of information is deemed to be ‘in the public interest’, it has been considered fair and lawful for patients to be involved in decisions about the release of identifiable information to third parties.

However, I’m pretty certain that European Convention of Human Rights law will ‘kick in’, however the above is ultimately resolved. Article 8, a right to private and family life, is a typical ‘human right’, in that it must serve a ‘legitimate purpose’, must be ‘necessary’ and must be ‘proportionate’ in relation to its purpose. The situation above, many would argue, is compatible with human rights law, even considering the purported usefulness of such a measure. The EC Directive on Data Protection is directly relevant here, and particularly the concept of “personal data”.

Opinion 4/2007 on the concept of personal data is very helpful (link here). On page 13, it provides:

“In cases where prima facie the extent of the identifiers available does not allow anyone to single out a particular person, that person might still be “identifiable” because that information combined with other pieces of information (whether the latter is retained by the data controller or not) will allow the individual to be distinguished from others. This is where the Directive comes in with “one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.

Some of the “best bits” are as follows:

11.30 Online patient records: safety and privacy – Ross Anderson, Professor of Security Engineering at the University of Cambridge Computer Laboratory

12.40 NHS Confidentially and Patient Advice – Helen Wilkinson, Coordinator of TheBigOptOut Patient Advice Line

“The Big Opt Out” link is here.

Your medical confidentiality is at risk from this new database, as over a million NHS employees and central government bureaucrats will have access to not only your medical records but also your demographic details name, address, NHS Number, GP details, phone number (even if it’s ex-directory) and mobile number.

There is no opt out whatsoever for your demographic details. You can only have them hidden in special circumstances if the police or social services request it if, for example, you are a celebrity or on a witness protection scheme. Many public and private sector workers will otherwise have access to your address and phone number, from social workers to pharmacists.

You will eventually be allowed to ‘lock down’ some of your medical details (though the security mechanisms haven’t been built yet). But although you can keep some of your medical details confidential from some of the doctors involved in your care, they can override this if they think it’s necessary, and there is no way for you to keep your information confidential from civil servants. You will no longer be able to attend any Sexual Health or GUM (Genito-Urinary Medicine) Clinic anonymously as all these details will also be held on this national database, alongside your medical records. For the first time everyone’s most up-to-date and confidential details are to be held on one massive database.

Click here for more information, here for the latest news, and here to find out what you can do about it.

16.10 Our right to medical privacy – Shami Chakrabarti, Director of Liberty

We have to wait until the end of a ‘fixed term parliament’ to bring this, and other issues such as the newly enacted section 75 regulations of the Health and Social Care Act, to the Court of Public Opinion. However, a legal challenge could be much sooner than that.