Digital revolution brings data challenges for NHS


A longside its industrial cousin, the digital revolution has created fundamental and irreversible changes to our way of life. Those changes are particularly apparent in the healthcare sector and from a UK perspective, digitally enabled services are a vital element in the strategy that the NHS is using to head off the £30bn black hole that will otherwise exist in its budget by 2020.
While the majority of us expect that goods and services be available within a couple of taps of a smartphone or tablet, in a healthcare context, a sizeable group of the population are either late adopters or remain seriously concerned about data security. Add to that the moral concerns that exist in relation to the commercialisation of patient data and you see the extent of the challenge that the NHS needs to overcome before it is able to realise substantial savings through use of digital health technology.
The lifeblood of any digital initiative is data. Exponential expansion in the volume of patient data should lead to higher quality analysis and a database that is of ever-increasing value. It is therefore no surprise that the NHS views its data as a three tiered asset, essential to the treatment of patients, vital as a resource for research and increasingly important as a potential source of commercial licensing revenue.
Most people see their health data as being extremely sensitive. That must be right, not just because it is so personal, but also because the wide disclosure of your health data can have serious consequences. We want a comprehensive health record to be instantly available when we require treatment, but we are also concerned about the same data being made available without consent for scrutiny by a prospective employer, or by a financial institution calculating our health and life insurance premiums.
The tension between data use and misuse was recently laid bare when the Health and Social Care Information Centre (HSCIC) attempted to introduce its initiative. Designed to make NHS patient data available to certain approved enterprises, it was subject to a poorly publicised patient opt-out regime and the removal of certain identifiers, which in theory, should have made the data anonymous. However, the technological changes which allowed the initiative to take shape, also created the enhanced data analysis tools which threaten the effectiveness of many data anonymisation protocols, so eroding public confidence in this type of initiative.
Whatever the shape of the new data protection regime that the EU is due to implement in the next 12 to 18 months, there are three factors which will be central to the creation of a workable digital health strategy. Firstly, the need to gain the fully informed consent of patients for wider use of their data. Secondly, the need for a global standard governing the anonymisation of that personal data and thirdly, recognition of the fact that healthcare data must ultimately be owned by the patient to whom it relates.
The first two factors are reasonably easy to grasp. The third is harder, as it runs counter to the current position where a data controller has a large degree of autonomy in relation to the use of data where it holds valid processing consents. In order to rebalance the data subject and data controller relationship, the regulators should adopt a more robust premise that a patient’s rights should be protected not just as the subject of any given data, but also as the ultimate controller of that data. While the law of copyright and database rights mean that data can be owned and traded like any other asset, a new right recognising the patient’s primary interest in his or her personal data is required.
The initiative is laudable in its attempt to create a primary source of healthcare data. However, it falls down because of the flawed belief that an opt-out regime would provide sufficient safeguards against misuse. The high degree of trust that the NHS enjoys as both an organisation and a brand means that it is uniquely well placed to implement a single opt-in arrangement, through which it is empowered to hold and process patient data in a way that demonstrates that the interest of the patient is given absolute primacy.
While the number of patients who sign up to such an opt-in regime will certainly be lower than envisaged under the HSCIC’s original strategy, the clarity in relation to processing rights and hence the increased value of the resulting database should more than compensate for the loss of volumes. Perhaps more importantly, a strategy which is fully patient focused is surely the best way of both discouraging data misuse while also allowing those who have decided that open data is a fundamental part of modern life, to gain the benefits associated with the unconstrained analysis of big data and product personalisation.