Make people the controllers of their data to help the NHS go digital

Anyone with a smartphone, tablet or Fitbit knows that, when it comes to our health, all of us now have the power to be “data creators”.

Indeed, in addition to the health apps on your phone, there are all manner of digital gadgets that can monitor everything from your blood pressure or pulse to your weight or glucose levels.

‘People’s personal health records could be integrated with their internal electronic health records’

These devices are creating vast quantities of data that are often stored by individuals on their computers or in the “cloud”. Such stores of personal data are known as personal health records, or PHRs.

PHRs are of potentially immense value to health professionals, because they can highlight trends or flag events in data when, before, it might only have been possible to get the occasional snapshot of when someone visited their GP or attended hospital for a check up.

It’s not happening to a great extent but people’s PHRs could be integrated with their internal electronic health records, which are controlled by the NHS.

To my mind, what we are seeing when the health service does try to weave the two together is an inhibiting factor, borne of a lack of clarity on data ownership.

Ownership is a tricky concept here. In the parlance of the Data Protection Act, there are no owners.

You are either a “data subject” – the data is about you – or a “data controller or processor”. Each role comes with certain responsibilities and the idea of data ownership sits uncomfortably between these categories.

• Benson: Health informatics must be made accountable
• NHS England: Digital plans could save £10bn

Owning up

At the moment, the NHS often regards itself as the owner of people’s data. Historically, this has been a product of the fact that it is the data controller in most instances – medical records have largely been written by GPs or entered into hospital administrative databases.

In fact, many NHS information governance practices seem based more on internal “tradition” rather than a legal framework.

This haziness around data “ownership” has practical implications, but is particularly relevant when it comes to PHRs.

This was brought into sharp relief for me recently in my work as part of Year Zero; this was one of four projects in the Dallas project funded by the Innovate UK technology strategy board to look at methods of using technology to improve assisted living and self-care, and bringing these developments to scale.

Some of the trusts with whom we worked with were trying to roll out two new digital services:

• the eRedbook, a digital version of the familiar “red book” child health record; and
• A Better Plan, a patient self-management tool for people with long term conditions.

In the case of the eRedbook, there was anxiety across the deployment partners – Liverpool Community Health Trust and South Warwickshire Foundation Trust – around whether trusts could share data with patients (or parents in the case of the eRedbook) and under what circumstances this could be done.

Some individuals within the trusts were uncomfortable with the idea of creating data that would be outside their guardianship and were wary about breaching data protection rules.

‘There was anxiety across the trusts around whether they could share data with patients and under what circumstances this could be done’

This was an important issue to address as the lack of clear guidance threatened to stymie the whole project.

As this area is so new, however, there was no “official”, authoritative guidance to refer to.

This caused myself and Philip Stradling, enterprise architect at Sitekit, which developed the eRedbook, to produce a guidance document for NHS organisations. In doing so, we gained extensive input from Dame Fiona Caldicott, the Independent Information Governance Oversight Panel and the Information Governance Alliance.

Increasing flexibility

In integrating PHRs with NHS records, we believe the solution is to recognise that with data there are two different domains:

• a personal domain, where the patient is, in effect, the “owner” of any data about them in a record; and
• a statutory or institutional domain, where a trust might hold data about a patient as a data subject but has a responsibility to ensure appropriate use and allow the patient to access the data electronically.

Another key thing to bear in mind is consent.

The NHS has a problem sharing data between systems because it often doesn’t know whether it has explicit consent. As the NHS shares more and more data, it will need to ask for consent to share. Otherwise, individuals are forced to rely on “presumed consent”, which in this day and age seems antiquated and patriarchal.

‘The NHS has a problem sharing data between systems because it often doesn’t know whether it has explicit consent’

There’s a solution to this too. Make it the default assumption that the patient is the owner or controller of all data relating to them. They can then share this data with whichever parts of the health service they wish.

This might sound slightly outlandish but think about it: we’re increasingly going to see digitised records become the norm, with many of them self-generated by citizens as part of their self-care – which we want to encourage, not only because it engages people with their own care but because it short circuits the technical barriers around information sharing.

People live more mobile and transient lives and, as a result, expect more flexible, integrated, informed health services.

At the same time, there’s an urgent need to move towards the kind of vertical integration, facilitated by technology, that is outlined in the NHS Five Year Forward View.

This all requires a more patient centred view of data - it requires seeing the individual and their PHR as the central repository of data rather than as data subjects with disparate records spread across multiple institutions.

The aim of defining these principles is to encourage innovation in service design by providers that will be able to adopt digital solutions, sure in the knowledge that they are safely grounded in an appropriate information governance framework.

Andrew Chitty is executive director of Digital Life Sciences