The story raises profound issues in relation to civil liberties, especially privacy and confidentiality. Before I tell it, I want to set out for hon. Members' benefit only one of the possibilities that it raises. I want hon. Members or anyone who reads the debate to imagine that they have a medical problem, such as a sexual dysfunction problem. The person concerned goes to see a doctor, who enters notes about the problem on his or her computer. The problem is successfully treated. Years later, a senior receptionist at another practice meets the recovered patient socially. The receptionist thinks, "I wouldn't mind finding out a bit more about this person." The next day, the receptionist—unethically and illegally—accesses the recovered patient's doctor's notes, which are held on a national NHS computer database and ferrets out private and confidential details, to whatever end, without, of course, the recovered patient knowing anything about the breach of privacy.
I could suggest myriad other disturbing possibilities that the story of Helen Wilkinson raises. I sketched out one simply to give a flavour of them. Without further ado, I shall tell Helen's story so far.
Helen works as a national health service practice manager. Indeed, she has worked in the NHS for some 20 years. So when it comes to the NHS, NHS offices, staff, patients and records, it can fairly be said that she knows what she is talking about.
Some time ago, Helen discovered that the University College London Hospitals trust had sent computer records of every hospital medical treatment that she had ever received to a private company, McKesson, which holds a mass of NHS records. Those records are then passed on, as Helen's were, to computer systems used by the NHS. Helen's records thus became available to several NHS bodies, such as the Thames Valley strategic health authority, Wycombe primary care trust and so on.
Helen asked to see her records under the Data Protection Act 1998, as she is fully entitled to do, and she discovered when she examined them that there was a serious mistake in them. She was effectively and, I repeat, mistakenly, registered as an alcoholic. Helen resolved, given her anger about the mistake, her concern about the many people who have access to even the correct parts of her record, and her anxiety about the even larger number who might well have access to it as the NHS computerisation programme proceeds, that she wanted her records removed from NHS systems altogether.
It is important to explain that, as matters stand, NHS patients have the right to object to data about them being held in a form that identifies them, but only when that causes or is likely to cause substantial or unwarranted damage or distress. It is not clear, if those data are held by a number of NHS bodies, as Helen's are, who decides whether damage or distress is caused or is likely to be caused.
It being Six o'clock, the motion for the Adjournment of the House lapsed, without Question put.
Motion made, and Question proposed, That this House do now adjourn.—[Mr. Cawsey.]
I asked the right hon. Member for Barrow and Furness to grant Helen's request. I received a reply from him dated
"The removal of patients from the systems that Ms Wilkinson has identified is neither simple nor straightforward".
It added that the ethics advisory group of the Care Records Development Board was considering the matter.
Helen then took a drastic decision, but the only proper decision that she believed was open to her. She decided to withdraw from the NHS as a patient altogether so that her records—including, of course, the mistaken registration of her as an alcoholic—could be removed from NHS computer systems. So, in summary, my constituent argues that she has had to withdraw from the NHS to protect her privacy.
I want to ask the Minister some questions that relate specifically to my constituent. On the "Today" programme earlier this year, her predecessor, the right hon. Member for Barrow and Furness, said in relation to my constituent:
"It must be possible to correct this"— namely, the mistake in Helen's records. That Minister went on to say:
"There is not a problem here."
So, may I ask this Minister whether it would have been possible to correct the mistake, considering the large number of NHS bodies to which the mistaken information was distributed, as so many different bodies held it?
The then Minister also said on the same programme:
"Mrs. Wilkinson does not have to have a national care record if she does not want one."
May I ask this Minister whether that is correct? How can it be correct when a patient has the right to have such records removed only when they are judged to be causing, or to be likely to cause, that patient substantial and unwarranted damage or distress?
In a further letter to me dated
"I have directed officials to ensure that her data"— that is, Helen's data—
"is removed from those systems for which the Department of Health is legally responsible as data controller".
May I ask the Minister whether that has happened yet? If not, by what date will it happen?
The former Minister wrote to me in a letter dated
"While your constituent may have opted not to seek NHS care, NHS services have not been withheld".
On that point, can this Minister clarify what would happen were my constituent to be, for example, taken suddenly into hospital? Would any notes made go into NHS computer systems? If so, would my constituent have to leave the NHS, so to speak, all over again to get any new records removed from those systems—not that she would have taken any decision to re-enter the NHS in the first place?
I want to discuss some wider issues raised by Helen's story, which I tried to illustrate at the start of my speech. I said that Helen's story raises profound issues in relation to civil liberties—in particular, privacy and confidentiality. It does so partly because her evolving story is bound up with the evolving story of the NHS computerisation programme.
Helen's records, like those of others, are held partly on paper and partly on computer. Obviously, not all NHS staff throughout Britain have access to the paper records and not all NHS bodies nationwide have access by means of their computer systems to the computer systems of other NHS bodies.
That situation will gradually change. As I understand it, the last seven years-worth of records held on the NHS-wide clearing service, or NWCS, which is a hospital computer system, and records held on GP computer systems will eventually end up on the NHS care record service, or NCRS, into which information from NHS Direct will also flow. At this point, it is important to grasp that the Care Records Development Board, to which I referred earlier, is recommending that patients should, in future, as the fully functioning NCRS comes on-stream, not be able to opt out of having a national care record. That is indeed a potential challenge to privacy and confidentiality, with serious civil liberties implications.
Other NHS patients will be as concerned as Helen—some media discussion on the matter has already occurred—about the confidentiality of their records, if those records end up on a national system that a large number of NHS bodies and individuals, including social workers for example, can access. After all, those records will hold data set down by nurses, health visitors, midwives, physiotherapists, psychologists, laboratory staff, sexually transmitted disease and addiction workers, ambulance crews and so forth. It is a long list. Those records will contain information about such sensitive matters as sexuality, ethnicity, genetics, mental health, intellectual impairment, illicit drug use, imprisonment, abortion, contraception, impotence, paternity, infertility, HIV, personal relationships, domestic violence, rape and abuse in childhood—again, a long list.
The right hon. Member for Barrow and Furness set out in his letter to me, dated
I see the Minister nodding, which indicates that she will write to me if she has to do so.
Will there be the computer facility to withhold part of an individual's record from NCRS, as I have seen it argued that there will be no such facility? What trials, if any, of the envelope software in clinical settings have taken place, and what did they find? In his letter to me, the right hon. Member for Barrow and Furness said that in certain circumstances, health professionals will be able to break the envelope seal. He wrote that
"this action can only be justified in specific circumstances, is audited and can be notified to the patient".
Who, therefore, will decide whether the patient is notified, and how?
In his letter to me, the right hon. Member for Barrow and Furness said that, in some cases,
"care professionals can themselves create a legitimate relationship".
Under what circumstances precisely can they do so? Is my constituent correct in asserting to me that third parties will be able to access a patient's data without that patient having the right to know whether third parties have accessed their data and whom those third parties were? The story that I sketched out at the beginning was an illustration of the claim that my constituent has made to me.
What assessment will the Department make of the effect on the nation's health of significant numbers of people, potentially, withholding important information from their doctors or from other health professionals because of concerns about confidentiality? What assessment will it make of the possibility of hackers altering data held on the NCRS and falsifying medical or other records? Will the NCRS and the proposed identity cards database be linked and, if so, under what circumstances is it proposed that the police or other agencies will have access to the records held on NCRS? Finally, what assessment of the clinical need for an NCRS has the Department made?
In conclusion, I recognise that serious issues about patient confidentiality and privacy arise under the current part-computer, part-pen-and-ink system, so the concerns that I raise are not entirely new. I acknowledge that a national computer system might, in some circumstances, help treat patients quickly who would otherwise not be treated so quickly. I realise that Governments of any colour have a difficult task in striking the right balance between, say, developing patient treatment on the one hand and protecting patient privacy on the other. Above all, I concede that new technology itself throws up new challenges to confidentiality and privacy.
I remain concerned that there are, in respect of the NCRS and as my hon. Friend the shadow health Secretary said, "serious unresolved issues" on patient confidentiality. I have tried to raise some of those issues in the context of the story, which is still unfolding, of my constituent, Helen Wilkinson.
I congratulate Mr. Goodman on securing the Adjournment debate today. His purpose has been to do what he can, quite properly as a constituency Member, to voice the legitimate concerns of his constituent. I fully understand those concerns. In many areas of life—whether in relation to banking, criminal or health records, for example—there is a requirement on the Government and the agencies with which they work to ensure that they maintain public confidence in the development of new technologies.
I am sure that the hon. Gentleman would accept that the best intentions lie behind these new developments. We want to ensure that people can get the best possible health care, and it is important to recognise that health care can be offered in a number of different environments, which involve different sorts of health professionals in both primary and secondary care. I hope that he agrees that our intentions are right, but that there is an important task for us all in ensuring that we have the public's confidence in what we are trying to develop.
I want to put on record my sympathy, which I am sure is shared by everyone who has heard about the distress experienced by Ms Wilkinson, for her distress at finding an embarrassing error in the record of her NHS treatment. I am very pleased to be able to confirm that that error has now been expunged and that we have respected Ms Wilkinson's further request that all her patient data be removed from the existing national database, although we have certain reservations about the consequences of doing so.
We recognise that there will be some people—Ms Wilkinson is, I think, the first, but no doubt there will be others—who feel so strongly about what they see as threats to the confidentiality of their personal health information that they will seek to remove any possibility of this information being shared within the NHS. Let me make it clear, however, that we do not envisage any circumstances in which patients who choose to have some or all of their records deleted will be "deregistered" from the NHS or otherwise denied NHS care against their wishes. That is an important point in the light of what the hon. Member for Wycombe said in his speech this evening.
What we cannot do, of course, is provide people who do not wish to be part of the new joined-up care records system with the benefits that an electronic record will provide. I would now like to focus on the new system of electronic records that we are in the process of introducing through the national programme for information technology, and the benefits that it will bring. In doing so, I hope to touch on some of the concerns that the hon. Gentleman has raised. If I cannot respond in full now, I shall certainly write to him in due course.
Some health records are already held on computers, but much—I would suggest too much—is still kept on paper. Records on paper can present challenges in respect of security of information. The shortcomings of the NHS, as it continues to depend in the 21st century on record-keeping and communication systems invented in the 19th century, are all too transparent. Records are not always available to staff providing care; handwritten entries in the record may be difficult to read; and important information may be missing. Patients themselves are often inconvenienced or put in a difficult position by having to tell staff the same information over and over again. Ms Wilkinson's distressing experience and the embarrassment that it caused her highlight the need for improvement.
We have committed quite unprecedented sums of taxpayers' money—£6.2 billion over last year and the next nine years—to revolutionise the way health information is accessed and shared. The key reasons are that electronic records and clinical communications will improve the safety and quality of care, underpin choice for patients, and increase the productive capacity of NHS clinicians and staff, potentially saving huge sums in unnecessary treatment and wasteful litigation costs. I think it will also help us to build a patient-led NHS, give us opportunities to consider how we can better safeguard information and give patients rights relating to it, and—this is important—create mechanisms to prevent some of the scenarios described by the hon. Gentleman. It will deal with questions of who will and will not have access to the information, and give patients some choice about who those people should be. It should also allow for electronic identification of people who may gain access to the system when they have no right to do so. That is important in any system involving information, whether it is held on paper or electronically.
The new system will give health care professionals secure access to patient information, and the means to update a patient's care record where and when that is needed. Errors will thus be more easily identified and corrected. From the outset, the system will hold records on an individual's care in a national computer system so that wherever care is sought, health care professionals can have access to the most up-to-date information.
The hon. Gentleman opened his speech with an example of what might happen. A receptionist might meet someone at a party, then go back to the practice and try to gain access to the person's records. I am informed, and I believe, that access rights will not enable those who are not involved in the provision of care to see records. Unauthorised access will be marked on the system, and therefore subject to audit. That is one of the opportunities granted to us by an electronic system.
We have provided the most stringent safeguards for security and confidentiality. We hope that anyone who is concerned about information will be reassured by them. The new system will allow patients to determine whether information recorded in one organisation can be seen elsewhere in the NHS: it will be their choice. Even when patients permit such access, only those involved in their care will have access to their records or to information that identifies them, and they will see only the parts of the record that are needed to inform care. That answers some of the hon. Gentleman's points about the whole health record, and about the possibility that some people might have access to information that was not appropriate. The system is designed to tackle that. Everyone who may have access will be authorised appropriately, and will need a smart card as well as a password. Crucially, the system will register the identity of everyone who looks at the records. That is important as a safeguard and as an audit trail to check that unauthorised access is not being allowed.
The way in which the new system protects patients' interests is explained in the care record guarantee published by my noble Friend Lord Warner on
The Minister spoke of an audit trail, and the possibility of tracing the details of anyone who has looked at a patient's records. Will patients have an automatic right to know who has been looking at their records?
I understand that they will. The hon. Gentleman referred to a sealed envelope. I understand that the sealed envelope will be opened only when health professionals are convinced that not doing so would put the patient's health at risk. The Caldicott guardian, who is a senior clinician in a trust responsible for confidentiality, will decide in those circumstances if the patient needs to be informed, but patients can ask at any time to know who has looked at their record.
The right to have inaccurate data rectified or erased, or to have any concerns about the processing of data seriously considered, is enshrined in statute. We are currently considering how such concerns can be practically addressed. We recognise that a transparent process needs to be established for people with concerns, and clear and applicable criteria for dealing with requests. It is not a simple matter, as there are significant medico-legal implications in deleting health information, even where it is incorrect, if someone has relied on it to make a decision. Part of the reason for that, as I am sure the hon. Gentleman will understand, is to protect the patient from people who might want to change records that could have implications in the future if the patient wanted to complain about their treatment or about how they were treated in the health service.
I also need to make the important point that, should people choose not to be part of the joined-up care records system, that will not only constrain how the NHS can help them but prevent the NHS from learning and improving on how it manages the care of others with similar conditions. That is not in order for people to know who the individual is, but to look at the case management of people with serious illnesses and diseases. We are determined to engage the public in understanding the benefits, both personal and system-wide, of the electronic care record and the way in which it will lead to a more efficient NHS, improve the quality of care and increase choice. That is why we published the care record guarantee.
I hope that my remarks will be of some assistance to the hon. Gentleman, to whom I will reply on any matters that I have been unable to deal with. I also hope that what I have said tonight has been a real opportunity to outline, in a public forum, some of the reasons why we are moving in this direction and how seriously we take the issues of confidentiality in the new system.
Question put and agreed to.
Adjourned accordingly at twenty-one minutes past Six o'clock.