BY Wendy M. Grossman | Monday, April 21 2014

Screengrab from Paul Bernal's parody of the "Downfall" video

How to destroy public trust in a government open data program in three easy steps:

Step 1: Pick a sector that's maximally sensitive - say, health care - and plan a program to sell the collected data with the stated purpose of benefiting the public good that conflates personally identifiable data with open data and research purposes with commercial exploitation and to which everyone's records will be automatically uploaded with no ability to withdraw them later.

Step 2: Publish conflicting, confusing, and incomplete information about it, omitting details such as deadlines, forms, and processes for opting out.

Step 3: There is no step three!

This is how the UK government has (so far) mishandled a program called care.data. Given the power to do so in legislation passed in 2012, the governing health authority ordered care.data into being at the end of 2013, and distributed information leaflets in January 2014. The resulting furor, which has seen the program delayed for six months for a rethink, has seriously damaged public trust in how the English National Health Service (NHS) intends to manage the country's medical data. The Guardian's "Bad Science" commentator, Ben Goldacre, a trained doctor, has warned that unless the government can un-bungle the situation, the loss of public trust will ultimately cost lives.

Care.data is intended to make England's store of medical data available to third parties such as researchers and others trying to improve patient care. Unfortunately, that unexceptionable goal has gotten tangled up with selling personally identifiable data for commercial exploitation by (for example) pharmaceutical companies. I say England for a reason: health care is devolved in Scotland and Wales, so although these countries have analogues to the programs discussed here, care.data is specifically a program of the English NHS, by far the largest of the three.

The first thing to understand about the National Health Service is that where American medical services are organized around individual patients with insurers acting as gatekeepers, the NHS is organized around individual general practitioners. Except for emergencies, your GP is your first point of contact, and acts as the gatekeeper to further services and specialists. The usually given rationale is that specialists ("consultants") are a relatively limited resource whose time must be carefully managed. GPs are also traditionally the authoritative repositories of information about their patients: reports on treatment you receive and the results of tests are routinely sent to them. This system has both bad and good sides: if your GP discounts the importance of your complaint you may get stonewalled; but a good GP provides you with continuity of care and a personal relationship.

This is why centralized electronic health records have been so controversial in the UK: they represent structural change. For doctors, it takes away their control and risks damaging their relationships with their patients. For individuals, it moves control over their most personal information away from someone they know and trust into an impersonal data center. As the Cambridge University security engineer Ross Anderson, has often said, the difference is that when the police come asking for detailed medical records, instead of being confronted by a 50-something medical practitioner with years of experience who might tell them to get lost, they deal instead with a 24-year-old geek working in a data centre owned by British Telecom or some other such provider.

As Anderson explained to the Washington, DC, Privacy Health Summit in 2011, centralized, socialized medicine has meant that the UK began discussing electronic medical records much earlier than the US. The NHS began to build centralized systems as early as 1992, culminating in the National Programme for IT (NPfIT) in the early 2000s. This program sought to create an electronic Summary Care Record for every patient in England. The government's pitch was that centralized records would mean better patient care: emergency rooms would be able to look up the records of incoming patients to spot allergies and other conditions, as would hospitals, consultants, and other medical staff. Much of this program was eventually canceled due to rising costs (£12 billion at last count), the global recession, and the fact that it was proving difficult to implement. Opponents such as Anderson pointed out also that emergency personnel treat the patient based on what they see and test in front of them, not by consulting records. Privacy and control were much bigger issues, however.

It was against this background that care.data, an entirely different program, was introduced in the Health and Social Care Act 2012, a controversial structural reorganization of the NHS. Opponents - most medical professionals - argued that HSCA introduces layers of expensive bureaucracy. Proponents argued that it would introduce competition and make the NHS more efficient. Less noticed before the Act's passage was its creation of the Health and Social Care Information Center (HSCIC), a non-departmental public body of the Department of Health, to become a central repository for England's health care data.

In December 2012, HSCIC announced the care.data program, which requires GPs to upload their patient data so that HSCIC could link it to existing data sets such as Hospitals Events Statistics. Eventually, as the NHS Web site explains, "this programme will build on existing data services and expand them to provide linked data, that will eventually cover all care settings, both in and outside of hospital." In other words, eventually care.data should cover every interaction an individual has with the NHS throughout their lifetime. And these data inevitably will be identifiable: these are not aggregated statistics.

As Phil Booth, the coordinator for medConfidential, explains, the NHS has had an information center more or less since its founding in 1945. "The original store of all population-level data was the repository of the World War II ID cards," he says, "and the very first NHS numbers issued were your World War II ID card number plus a number tacked on the end to represent your position in the family. Over the years, that body grew up to manage the statistical side of the NHS, generating a lot of population-scale data." Around 2005, the precursor of the HSCIC, the NHS information centre, was officially established as an official special health authority.

Concerns about care.data began even before its name was known when Tim Kelsey was appointed National Director for Patients and Information in the National Health Service in July 2012. Kelsey's particular background was the main factor: a former journalist, in 2001 he founded a company called Dr Foster, which began publishing a Good Hospital Guide based on hospital mortality statistics derived from the hospital records database. In 2005, when the NHS IC became a special health authority, the Department of Health set it up as a joint venture with Dr Foster, paying £12 million for a 50 percent share. When it reviewed the purchase, the National Audit Office complained (PDF) that the DoH paid 33 percent more than its own adviser's valuation and failed to open the venture to competitive bidding.

Says Booth, "We believe that established the precedent that a private company could have, essentially, a commercial reuse license. Ever since, there have popped up a number of these organizations that say they're using these data under a commercial reuse license but we can't find information at all anywhere about what a commercial reuse license is. What are the terms?"

So the story so far: a background that made it easy to confuse a previous database program that was aimed at patient care with a new one aimed at administration and exploiting data, put in charge of a man who made his money from medical data whose grasp of the difference between open data and personal data is shaky. In a href="http://www.prospectmagazine.co.uk/magazine/longlivethedatabasestate/#.U1JRZVfTliQ">piece he wrote for Prospect in 2009, Kelsey argued for the removal of legislative blocks on sharing government databases, and said: "But no one who uses a public service should be allowed to opt out of sharing their records."

This is not a situation likely to engender public trust.

In January an official leaflet (PDF) explaining care.data was distributed to English homes. It was widely criticized for being more like propaganda than information: relentlessly upbeat, it lacked detail on how the data might be used; offered no way for individuals to find out what the data they were being told to share might look like; and included no information on how or when to opt out.

If that weren't enough, because the leaflets were distributed by the Royal Mail as part of its bulk delivery service, anyone who had chosen to avoid unwanted junk wouldn't have received it at all. Following a media furor and campaigning by the British Medical Association, medConfidential, and the Royal College of General Practitioners, by February the HSCIC was announcing it would delay the program for six months while it rethought.

Booth, who previously led the campaign against the National ID card, which was dropped in 2010 when the current government came to power, is anxious to make it clear that medConfidential does not oppose the use of databases.

"With this there are many potentially beneficial uses," he says, noting that in this respect care.data is utterly unlike the National ID card ("We just had to get rid of it because it was too damn dangerous"). "But those have been conflated with other purposes that are outrageous, such as commercial exploitation, or contentious, such as commissioning, seen as the mechanism by which bits or large amounts of health care provision become privatized. We have had to juggle a lot of conflicting, really complex things. There have to be proper processes so we can balance out the public interest with the rights of the individual."

One of the biggest problems with the system as planned is that although you can opt in at any time, once your data has been uploaded you can't withdraw it or stop it for the future. So consider how this works in practice: a woman has a baby. Her hospital stay and the details of her treatment are recorded, along with the date, time, and other details of the baby's birth. That child is now automatically opted in for a lifetime.

Almost perfectly timed to make Booth's point about the dangers of commercialization, in early March the news broke that the entire Hospital Events Statistics database had been passed to PA Consulting and uploaded to Google servers for study. Shortly afterwards, the government tabled amendments to the Care bill in the House of Commons; these are due to be put before the House of Lords on May 7.

The desired amendments, as described by Allyson Pollock, a professor of public health research and policy at Queen Mary University of London, would do three things. The first, with a few narrow exceptions such as drug trials, blocks the disclosure of confidential information to commercial organizations. The other two put independent oversight of information handling across the health and social services on a statutory basis. Booth has a simple, three-word description of what's needed: consensual, safe, transparent.

"They're saying the right things now," says Booth, although he's still waiting to see what actually gets legislated and implemented. "We can assess it when we see the technical specifications." Save the date, as they say.