by Bharadwaj V. Chada
As has often been the case throughout its esteemed and eventful seventy-year history, the NHS once again finds itself caught between the proverbial rock and hard place. This time, we’re talking about data. Health informatics has come of age over the last decade, with developments in Big Data, Artificial Intelligence and Machine Learning auguring a paradigm shift towards fully data-driven health systems.
There has been growing recognition of the immense – and as yet unrealised – value of healthcare data within the NHS, which a recent report by Ernst & Young placed at around £5bn (with the potential to deliver several billions more in operational savings).The potential advantages of healthcare data are manifold: a better understanding of disease processes, earlier and more accurate diagnosis, and targeted therapeutics and personalised medicine may significantly benefit patient outcomes. Likewise, data can serve to inform our understanding of the cost-effectiveness and efficiency of healthcare delivery, yielding improvements in health system productivity. Yet despite, or perhaps because of this, the pursuit of unlocking the value of healthcare data has brought with it significant information governance concerns in recent years.
There have been few higher-profile examples of data mishandling than the data-sharing agreement between Google-DeepMind and Royal Free NHS Foundation Trust for the development of its Acute Kidney Injury (AKI) detection app, Streams. The Information Commissioner’s Office (ICO) ruled that the processing of 1.6 million patient records was excessive and disproportionate, conducted without patient information, and in the absence of requisite technical and organisation controls. Examples such as these have done little to inspire public confidence, with various studies and surveys fairly unequivocal in demonstrating public reticence over this perceived commercialisation of the NHS.
The NHS is thus presented with the challenge of reconciling these two dichotomous objectives: tapping into the veritable goldmine of healthcare data to improve outcomes and productivity on the one hand, whilst upholding its responsibility as a custodian for its 55 million patrons on the other.
The first step is accepting that our beloved, if beleaguered, NHS can’t do it alone. Policy makers have long championed technology as the salve to our health system’s troubles. Lofty digital ambitions notwithstanding, inertia towards innovation has been among the NHS’s greater foibles (look no further than the ill-fated National Programme for IT (NPfIT)). Indeed for every success story, such as Cambridge University Hospitals’ Epic Electronic Patient Record (EPR) system or the recently announced Health and Social Care Network, there are myriad more examples of archaic fax machines purchased in their thousands, internet connections scarcely better than dial-up, and basements containing tomes of antiquated patient records. Unlocking the value of healthcare data falls outside the capability of our public infrastructure alone, and plainly requires the involvement of private sector IT behemoths.
Once we acknowledge that our careworn NHS needs propping up by tech-savvy collaborators, the question then becomes one of prioritising patient autonomy. For all the talk of keeping patients at the heart of everything we do, they have been a historically neglected stakeholder. Private organisations are – correctly – expected to behave scrupulously, and operate in accordance with the highest standards of information governance. Similarly the NHS Data Security and Protection Toolkit (DSPT) outlines the key roles involved in data protection at an organisational level, such as the Information Governance (IG) lead, Caldicott Guardian, and Data Protection Officer. Any mention of patients or patient advocates is conspicuous by its absence.
Facilitating patient empowerment and encouraging ownership of their data is made complicated by the liminality between medical ethics and law. Often the two exist in a synergistic and mutually reinforcing relationship: ethical dogma curates data protection law, and adhering to data protection law ensures the principles of medical ethics are upheld. Yet there are circumstances in which lawful agreements needn’t necessarily be ethical ones, and it is precisely in this grey area that data handling challenges arise.
Adhering to legal frameworks such as obtaining section 251 approval by the Confidentiality Advisory Group (CAG) (or under the Control of Patient Information (COPI) notice in the context of COVID), demonstrates that private companies may access sensitive patient data without obtaining consent at the level of the individual patient. These safeguards exist specifically because consenting each and every patient whose data is being shared is neither practical nor possible. Notwithstanding this, various guidelines and policies such as the NHS Code of Practice on Confidentiality and the General Medical Council (GMC) Ethical Guidance on Confidentiality assert that patients should not be surprised to learn how their information is being disclosed.
The solution to this dilemma is ostensibly not to ask every single patient if their data may be shared for research or service improvement purposes. Instead a concerted effort must be made to raise awareness of how patient data is being used and to whom it is released, thereby engendering patient confidence and engagement. Appointing and engaging in consultation with patient advocates for example, either independently or in conjunction with the Caldicott Guardian, may improve public acceptability of the sharing of their data. Similarly liaising with independent think tanks such as Understanding Patient Data and raising awareness of the National Data Opt-Out may further facilitate patient empowerment.
The adoption of data-driven technologies to mitigate the ongoing COVID-19 pandemic has been the subject of much interest in recent months, as several symptom checking services, decision support aids and prognostic tools have proliferated both within and outside the aegis of the NHS. Acceptable derogations in data protection law in the context of COVID-19 have been well-documented. However, crisis situations cannot preclude ethical data sharing. On the contrary, efforts must be redoubled to ensure the integrity of patient information is not compromised during these unprecedented times.
The involvement of commercial organisations within the NHS has traditionally been met with much apprehension. At the same time there is growing recognition of the immense value of healthcare data. Commercial involvement for the deployment of data-driven technologies can generate essential service improvements, but only when married with key technical, legal, and ethical safeguards. Policy makers are encouraged to be especially cognisant to ethical considerations and patients’ preferences, traditionally an overlooked stakeholder.
Bharadwaj is an academic foundation doctor interested in harnessing the potential of medical technology to deliver essential service improvements in the NHS. He graduated from King’s College, London in 2019 and is currently undertaking a Postgraduate Course in Healthcare Data and Informatics at the University of Cambridge.