The COVID-19 exit strategy - what next for patient data?

Wednesday, 9 September, 2020

The webinar focused on how temporary regulations on the use of patient data to support the response to COVID-19 have worked, and what happens when the temporary support ends.

use MY data is keen to bring a strong and direct patient voice into all conversations about patient data. This patient-led webinar brought together patients, relatives and carers, the public and professionals, was open to all and was free to join. 

use MY data always strives to present a balanced view and so, while we work to highlight the benefits of using patient data, we acknowledge the risks too. Our members believe that transparency is key. Transparency means operating in such a way that it is easy for others to see what actions are performed. In a nutshell – Say what you do, do what you say.

In order to respond to the unprecedented challenge that COVID-19 brought to the health and care system, the Secretary of State issued a wide package of measures enabling healthcare organisations, Arms’ Length Bodies and local authorities to be able to process and share the data they need to respond to COVID-19.

One part of this package is a range of Notices referred to as the Control of Patient Information (COPI) Notices, which allow the processing of confidential patient information for the specific purpose of responding to the COVID-19 pandemic. These Notices are due to end in March 2021.

If these regulations are essential to the management of the COVID-19 response, are there elements of the regulations which are worth protecting, perhaps with benefits to wider public health intelligence in the future?

Chris Carrigan from use MY data chaired the session, welcoming delegates and asking four speakers to talk us through what is happening around data uses to support COVID-19 and what the future opportunities and challenges are post-COVID-19.

Our speakers were:

Andy Moody, Senior Data Policy Advisor, NHSX

Emma Rush, Head of Data Policy, NHSX

Sami Mansoor, Policy Engagement Manager, Information Governance Policy Team, NHSX

Suki Panesar, Deputy Director, Strategy and Development, Data, Analysis and Intelligence Service, NHS England and NHS Improvement (NHSE/I)

Awareness of the COPI Regulations and Notices

Chris started the webinar with two delegate polls, exploring the knowledge of the COPI Regulations. When polled with the question "Are you aware of the COPI Regulations?", 67% of delegates said that they were.

However, when polled again with the question "Were you aware of the COPI Regulations prior to COVID-19?", this dropped to only 34% of delegates.

"COVID-19 has significantly raised the awareness of the COPI Regulations"

Uses of data at the national level

Andy updated delegates on the COPI Notices and what they have meant for the sharing and use of patient data to support the COVID-19 response, touching on some projects that are currently underway using these Notices as the legal basis.

Back in March the NHSX Data Policy team had to find a way where the healthcare sector could speed up the data sharing and access legally to fight COVID-19, for research and the development of treatments. Key pieces of data extracted from health and care settings combined with data from patients themselves have been used to help the NHS respond to the virus.  COPI has allowed the sharing of this confidential patient information specifically to fight COVID-19.

Under the COPI regulations, NHS Digital compiled the Shielded Patient List, something which had never been done before. The List enabled partner organisations across government to support and protect those who needed shielding at this time.

Use of data to help primary care

NHS Digital quickly adapted the GP Extraction Service, normally used for gathering data from practices for payments to GPs, to collect healthcare information from GP records.  This meant that requests for access to GP records could be directed to NHS Digital rather than to GP Practices, easing the potential burden on GP Practices.

Andy gave more examples of how direct care had been helped by better availability of up to date comprehensive data from the GP's records, which was made available to other GP Practices, NHS111 and other health and care services. Additional controls were put in place to ensure that only those caring for these patents had access to this data.

The COPI Notices have been extended

The COPI Notices have been extended by the Secretary of State from 30 September 2020 to the end of March 2021, to give organisations the confidence to keep sharing data in response to COVID-19. The Secretary of State has also made it clear that he may extend the Notices beyond 2021 if necessary.

Changes to the Summary Care Record

Chief Information Officers and Chief Clinical Information Officers asked for a change to the Summary Care Record (an electronic record of important patient information, created from GP medical records). The Summary Care Record can be seen and used by authorised staff in other areas of the health and care system involved in the patient's direct care.

The Summary Care Record was changed to include details of long-term conditions and significant medical history. This is now included by default in the Summary Care Record, unless patients have previously said that they do not want their data to be shared on  the Summary Care Record, by telling their GP.  This Summary Care Opt-out (about how your data can be shared to treat you) is different to the National Data Opt-out (about how your data can be used outside of your direct care). 

This change has been implemented under the COPI Regulations and will apply for the duration of the current pandemic only.  The Summary Care Record opt-out is different to the National Data Opt-out.

The NHSX Data Policy Team is working with the Summary Care Record Additional Information Project Team to seek alternative legal arrangements so that the change may not be reversed.

The NHS COVID-19 Data Store

Suki Panesar from NHSE/I talked about the NHS COVID-19 Data Store. The secure Data Store brings together and protects accurate, real-time information to inform strategic and operational decisions in response to the current pandemic.

COVID-19 has necessitated a consolidated and streamlined approach.  The Data Store has empowered NHS decision makers to harness the power of data, to improve integration and insights, and grow the capability of their data and analytics teams.  

Data was needed about current occupancy levels of beds, critical care beds, A&E capacity and general information about lengths of stay in hospital of COVID-19 patients. The secure Data Store brought together the data to allow this type of analysis to be undertaken, providing the real-time information necessary to inform decisions.

The National Data Opt-out Programme

Andy also raised the subject of the National Data Opt-out programme. During a recent period of social media activity spreading false information about “deadlines” to opt-out, an additional 34,000 people expressed their preference to opt-out. There is no deadline by which a person needs to opt-out, but the deadline for health care organisations to comply with the National Data Opt-out is the end of September 2020. NHSX is discussing with the Health Secretary whether to extend the deadline for compliance to allow organisations to focus on the response to COVID-19.

The National Data Opt-out does not apply where uses of Confidential Patient Information are in support of the response to the COVID-19 pandemic. The COPI Notices override the National Data Opt-out. 

The Red Tape Challenge

Sami talked about the Information Governance Red Tape Challenge.

Information Governance guidance sits in lots of different places and there can be conflicting information from different bodies. NHSX know that developing simple, layered guidance is making this far easier for front line staff to adopt. But existing guidance also needs to be tackled.

The Challenge will review any existing published Information Governance guidance and look to ensure published guidance is consistent with other guidance.

This will be added to a new "one-stop-shop" Information Governance web portal, hopefully launching at the end of the September 2020.

The next step for NHSX is a workshop with key stakeholders who produce national Information Governance guidance, such as Royal Colleges, The Confidentiality Advisory Group, the Local Government Association and the National Data Guardian’s office. This is planned for the beginning of October 2020.

Questions to the speakers

Chris thanked the speakers for their contributions, and opened up the webinar to delegate questions.  There were so many good questions for the speakers and regrettably not enough time to answer them all.  We have listed the full set of questions here.

“If patients are key stakeholders too, how might we get patients into the complex technical discussions, such as the Red Tape workshop mentioned by Sami?”

Sami said that of course they were stakeholders, as they need to understand the guidance, and they would be involved in identifying guidance that needed updating, but that the initial workshop was to bring people who produce national IG guidance together.

"When the COPI Regulations/Notices expire, will all the data collected under them need to be deleted?"

Emma joined the panel and responded, saying that yes, if data has been gathered under the COPI Notices, then once the Notices expire, the data would need to be deleted or returned back to the original data controller. Where it is identified that data needs to be retained beyond the COPI notices (e.g. research on the long term impact of COVID-19) an alternative legal basis will need to be identified.  NHSX is looking to identify what beneficial changes have been seen and consider alternative legal bases under which they might want to continue to retain the data.

Chris noted that as a point of principle, when decisions were being made about what should be retained, it was important to include patient voices in the conversation.  While the webinar delegates might be a largely positive audience, there may be others who would be less positive. He encouraged the use of the patient voice in NHSX's process.

Andy added that NHSX is already working with NHS Digital and the Health Research Authority Confidentiality Advisory Group (HRA CAG) to see if things needed to move onto a different legal footing.

"The COPI Notices require a record to be kept of where the data went, and what it was used for. Will you publish the lists of projects and what's happened as a result?"

Emma replied that as part of the Data Store, the service which manages that does have a log of those that have been granted access to the data from the store.

NHS Digital and PHE both have existing processes which log data access by different organisations, outside of COVID-19.

NHSX has gathered the information (on data requests) into one list so that when the COPI Notices are due to expire, they can track back to those using the data, or explore putting these uses onto an alternative legal footing.

Chris asked whether that list (of data access) was published anywhere? Emma didn't know for certain whether this was published, but offered to take this away and see what the situation was.

Suki commented that as part of the Data Store work, the NHSE/I website included information on what was actually in the Data Store and as far as the list of releases, there is an ambition to publish the information.  Suki offered to get back to us on the when and how, with timelines, because at the moment that hasn't been worked out.

Chris noted that where we have such lists, there has been real benefit in the publication of these by NHS Digital and Public Health England (PHE).  This is another example of where this would increase transparency and the understanding of what the benefits have been, as well as enabling people to ask questions about what has been happening.

"Can a GP now audit who has accessed their patient records?"

Andy and Suki said that this was slightly outside of their scope and that they would need to defer on the question, but happy to follow up on this after the webinar.

Chris noted that from a patient perspective, being able to speak to their GP about how their data had been used might be important for some people.

"Is 'confidential' data the same as 'anonymised' data? Who is supposed to obey which law or regulation and when? How does anybody make sense of any of it?"

Chris saw this as a challenge communicating a complex issue, and wondered where the responsibility for that sits?

Emma agreed that the legislation and the rules can be quite confusing for patients and the public. For the COPI Regulations, because of the public health emergency need, it absolutely allows the use of confidential patient information.

The COPI Regulations have been enacted into legislation since 2002, but the recent Notices enable the uses of data for different organisations, in support of the response to COVID-19.

The actual Regulations can be used for existing requirements, for instance by Public Health England, to manage public health outbreaks and communicable diseases. If a researcher wants to use confidential patient information which would identify an individual, there is a route to go through, through the Health Research Authority (HRA), who can provide a view to the Secretary of State as to whether this is for a legitimate purpose.

Chris wondered whether the complexities might be usefully presented as a visual following a person’s data through the journey, perhaps showing how their data might be used, and what the checks and balances might be for different potential uses? He suggested this is something that could be taken forward after the webinar.

"The Control of Patient Information Notices mentioned in the announcement is presented as if it were something new. In fact, Statutory Instrument 2002/1438 has been in force for 18 years, without substantive change. Has the government actually changed the law, as the announcement suggests? In particular, has it lifted the 'opt-out'?"

Chris said that we had already heard that the COPI Regulations "trumped" the opt-out, but also reflected the complexity and confusion around the applicability of the opt-out.

Andy agreed that the COPI Regulations themselves were not new, and had been around for a while. The Notices are new, but are temporary, and have enabled uses of confidential patient information specifically for the response to COVID-19.

Chris noted that the response to the COVID-19 pandemic had been substantial, but suggested that people working in other disease areas, for instance cancer, might argue that we see many more deaths from cancer than from COVID-19.  Should the COPI Regulations be similarly supportive of cancer and other major risks to public health?

He asked whether those are the sort of questions which might be brought into the consideration of what happens after the COPI Regulations, and whether this was an opportunity to think more widely from a public health perspective, about protecting and enabling the use of data?

Andy highlighted that the work so far had focused on the emergency, but agreed that by looking back to see what the Notices had allowed NHSX to do in this situation, this could influence possible ways forward.

Chris paused the conversation and polled the audience on three questions, about delegates' views on using data to support particular areas.

Q1: Beyond the response to COVID-19 how supportive on a scale of 1-5 are you of better use of confidential patient data to support preventative care? (1 being not at all, 5 being very)	Q2: Beyond the response to COVID-19 how supportive on a scale of 1-5 are you of better use of confidential patient data to support research? (1 being not at all, 5 being very)	Q3: Beyond the response to COVID-19 how supportive on a scale of 1-5 are you of better use of confidential patient data to support planning? (1 being not at all, 5 being very)

Some grouped questions from the audience about the National Data Opt-out and GPs:

"Why is a GP allowed to opt-out patients without asking or even telling the patients?"

Chris replied that GPs were not able to opt a patient out, and that anyone who wanted to opt out needed to do so themselves. Full details are on the NHS Digital website.

"What proportion of the 1.65 million opt-outs were applied by GPs to their entire lists rather than as a result of individuals submitting their opt-out? What is the legality of opt-outs being submitted in that way? PHE claims not to know.

Chris picked this question up, replying that the bulk of the 1.65 million were brought forward from the previous Care.data programme, and that some practices had opted-out their entire patient lists. He asked whether this was something that the panel would be able to comment on, or whether this is something that they may need to take away and involve NHS Digital in the answer.

Andy agreed that they would be best to defer to the NHS Digital team about this.

"How many patients would be at the Red Tape Workshop?"

Chris reflected that we were hearing clearly that engaging patients in workshops like this, however technical they are, helps to ensure that the workshops are grounded and that patients bring a different perspective. He said that this ought to be seen as a challenge from the audience that NHSE/I and NHSX would need to pick up.

He noted a comment from one delegate, who said: "Include patients in all discussions! They should be sitting at every single table."

Andy agreed that this was a great question, highlighting the recent OneLondon event and Citizens Juries events. He asked for suggestions about how NHSX could better include patients, and said that he would love to hear them.

Chris noted that this was a good challenge to the delegates and to use MY data, but echoed the strength of feeling that we do need patients in all those discussions.

"How can we maintain the positive aspects of data sharing, after COVID, whilst allowing opt outs to return? Ignoring opt-outs (as COPI does) will cause long term damage to patient and public trust."

This question, along with others, highlighted the need for clear and open debate about the way forward, as there was clearly a range of patient views, even amongst delegates.

The response to COVID-19 has not changed the policy opt outs. It has delayed the mandatory implementation of the National Data Opt-out to enable organisations to prioritise the response to the pandemic but where organisations were already implementing the opt out they should continue to do so.  The national data opt out has never applied to information shared for public health reasons such as under the COPI notices.

Emma reminded delegates that opt-outs were still being respected, other than for specific work to support the COVID-19 emergency. Chris noted this, but equally felt that there was general confusion about where the opt-out did and didn't apply, highlighted by the following question.

"Who is opting out of what, if the opt-out doesn't work? Am I the only non-professional listening who is baffled by what the speakers are saying?"

This highlighted the need for increased clarity and transparency to help build trust.

Chris highlighted a final few contrasting points from delegates:

"The data should be retained. Everyone should be required to opt-in. We are all in it together. It's our NHS and we should all contribute our data just as we contribute our NI and our tax. The key is then to make sure it is used in ways we accept and by people we trust. Put real people on CAGs and make them data-access groups. Don't guard it, USE it!!"

"Uses of NHS data, whether COPI or otherwise, must follow s251(7) of the NHS Act, (leaving aside that DHSC has admitted breaching it,) what can you say to give patients confidence that the rules on patient data aren't being broken “in a very specific and limited way” by you bodies or commercial entities, which result in uses that patients were told wouldn't happen. Given the characterisation of Information Governance as red tape, will the breaches of contracts or law be enforced in any way?"

The webinar finished with one final question from delegates:

"What are the top three things that the public need to be concerned about or aware of relating to any changes?"

Emma replied that what she had heard was the need for greater transparency and inclusion, as some of the messages may not be resonating with people. Andy finished by asking how we can continue going forward and keep the public engaged and interested, with the risk of COVID-19 communications fatigue.

Chris brought the webinar to a close, noting that all questions would be listed in the webinar briefing, and where possible, answers provided.

"There are clear challenges going forward, and we don't want to go backwards. This needs to be a joint solution with the organisations involved, together with views of patients from different ends of the spectrum."  He emphasised the need for greater transparency, including the need to publish the uses of data and being clear about the choices that people have.

use MY data would like to thank all the delegates and speakers for their time and contributions.  Thank you to Trish Gray for the graphics.