Today, I sent a letter to my GP confirming that I am opting out of the Caredata scheme, and do not want my data uploaded in any form to either the secondary uses databases (codes 9Nu0, 9Nu4), or to other record systems. I am already opted out of the Summary Care Record Scheme (code 93C3); I have pre-emptively also added 93C1 to opt out of upload to local record keeping systems.
I opted out of the SCR scheme because, for me, the risks were entirely disproportionate to any benefits. I am not allergic to anything, I am not taking long-term medication, there is no particular information in the SCR extract that would assist a doctor in the extremely implausible scenario where I am unable to communicate but my identity can be established with sufficient certainty as to make use of my records without further confirmation safe and good practice. As there is no benefit to me, no risk, no matter how small, is worth taking, and my general objection to large government databases applies: data leaks, data is repurposed, data is wrong.
I am opting out of the nascent Midland Care Records scheme as it appears to be run by people outside the NHS. There is a website, but such contact details as it contains refers to "powered by Central Midlands Commissioning Support Unit". The link takes you to www.experiencecounts.org.uk which purports to be in some way affiliated with the NHS, but provides no evidence for it. Even its domain name is outside the NHS domain, and therefore it presumably operates outside the NHS information governance framework. It looks like a commercial operation, and therefore not a safe place for my records.
However, the Caredata scheme opens up a different moral conundrum: I am asked to provide my records not for my own benefit, but for the common good. Although I might benefit directly in some rather unlikely circumstances, it is far more likely that the benefit will be more diffuse; drug research, epidemiology, treatment standards on a national basis. I am broadly receptive to these aims, even to the point of overcoming my needle fear to have samples taken for the Biobank project. I have participated in several followup questionnaires and even worn an activity monitor for a week for them.
However, Biobank is a model of ethnics and information governance. I was approached, sent information, gave consent after exploring their objectives and structure, and was at all times in control of the process of providing data. Contrast Caredata: after a lengthy period in which the project was veiled in secrecy, the NHS rather reluctantly agreed to a minimum cost information campaign involving using the Post Office junk mail channel. I didn't receive the leaflet, and I don't know anyone who did. As it happens, I am not opted out from receiving unaddressed mail, but it is interesting to contrast Daniel Poulter MP's statement to parliament that it was delivered to those people who have opted out with the NHS's flat contradiction. Misleading parliament is usually seen as a bad thing, but apparently not when it's done to mislead people about NHS projects.
Had I received the leaflet, it is not clear I would have been any the wiser. The leaflet is deeply misleading; as well as only mentioning the name of the project in the URL at the foot of the last page, it is vague to the point of obfuscation about what data will be uploaded, and for what purposes. Couple that with the NHS's decision to use a bizarre interpretation of "selling" in their assurances that the data will not be sold while publishing a price list and Tim Kelsey's bland claim that data re-identification is not possible, or if it's possible it's very difficult, or if you do it it's illegal (although it's not clear under what legislation) and you are left in a position of not really knowing what the project is actually going to do.
Finally, Gerait Lewis published a blog which, although not answering the question as to whether a blog is an official statement of NHS policy, did remove some mystery from the proceedings. But not terribly reassuringly. For example, having defined red data as data which is straightforwardly personally identifiable, he writes it may be released if there is "legal approval [from] the Secretary of State for Health or the Health Research Authority following independent advice from the Confidentiality Advisory Group (CAG).". So that boils down to "the NHS can't release your personal data without telling you unless the NHS decides to release your personal data without telling you". Recent minutes of the CAG show them agreeing to the release of identifiable data in the absence of consent or opt-out for a project, risk stratification, they have reservations about the value of, so they are hardly a fierce guardian of privacy, and in any event "advice" is not a veto, so the Secretary of State can ignore them anyway.
As to the benefits, well, obviously insurance companies can benefit from this sort of data. The NHS again is totally confused as to whether insurance companies will be prevented from buying it, or will be able to buy it but will be given a stiff telling off if they do the wrong things with it, or what. Similarly drug companies: research, marketing, what is permitted? In an outbreak of black farce, the original timescale was for the uploads to start before the committee met to agree the permitted purposes; in any event, the purposes can be changed at any time, so provide little solace.
There is now a six month pause while the NHS tells us why we are wrong; already there have been outbreaks of "you little people don't understand, and we doctors know best" from Clare Gerada, which is a priceless demonstration of why doctors should keep off the telly. Sorry, Clare, but speaking slowly and being patronising doesn't convince when you're so obviously contradicting yourself: "commercial entities can't have access, unless they can have access".
So I'm opted out. If the NHS can make a case, I'll change my mind. But something better than this car-crash of a publicity programme has to convince me.