NHS App: Medical Records

Question

Asked by

To ask His Majesty’s Government what measures they have put in place to mitigate the risk of people being coerced into showing their confidential medical records to third parties as records become universally available through the NHS app.

The Government want people to have access to their own records. For most, online record access is beneficial but for a minority, having access could cause harm or distress. In many cases, practices can identify these patients and ensure that safeguarding processes are in place. Furthermore, to access the NHS app, users must prove their identity through the NHS log-in and, before entering their record, are advised what to do if they are being pressurised to share their information.

My Lords, the design goals for the NHS app should be to make it as easy and frictionless as possible for legitimate users to access the system, while making it as difficult and frictionful as possible for people trying to gain unauthorised access. But there is a natural tendency to focus on the first part of this equation as developers believe in the systems they build and find it hard to put themselves in the shoes of the cunning and resourceful attackers who will try to break them. Given this dynamic, can the Minister confirm that the NHS has a red team tasked with trying to identify all possible vectors of attack on the NHS app, and that the requisite resources will be put into mitigating any risks that they identify?

The noble Lord is absolutely correct on getting that balance right between the two; that is why the NHS has a safeguarding reference group on exactly this, which has been putting in protections as well as messaging patients, telling them to be aware and that they have the opportunity to redact their records if they are concerned. There are other features, such as multi-factor authentication and making sure that, for log-in with facial ID, you cannot have anyone else in the picture, to ensure that people are not being coerced. So, there are a number of measures in place, but I completely agree that we need to keep them under review with user groups checking all the way.

My Lords, with the abundance of health data available to the NHS, what future technologies are being developed to identify patterns and trends to improve patient outcomes and reduce the pressure on the NHS?

My noble friend is correct. As the noble Lord, Lord Allan, said, there are many good uses for the app and data. As we all probably know, AI is only as good as the data that underlies it. The good situation we have—it is lovely to have a story for Christmas cheer—is that our 50 million primary care and hospital records are probably second to none around the world. We are already using that to positive effect, such as for image reading and using AI for cancer scans and strokes. We can also use that data for intelligent screening and, in future, for cause and effect to find cures, hopefully one day even for dementia.

While it is obviously important to control confidentiality of patient data, it is vital to be able to use data for medical research. Much research, such as epidemiological research, the relationship between smoking and ill health—obesity, diabetes and all sorts of diseases—would not be known much about unless we were able to handle patient data. In the rush to control, let us make sure we can still do research with patient data.

Absolutely; it is about getting that balance correct. I welcomed the support of all sides of the House when we were introducing the FDP. A lot of work was done with noble Lords on that. The fact that the federated data platform was as well received as it was in the circumstances is because of support from all Members of the House on all sides, knowing the vital role of data in improving health outcomes.

My Lords, following the question from my noble friend Lord Allan about a red team, in the past not health data but personal financial data has been sold by subsidiaries or contractors of UK firms based abroad. I notice that we now have a deal with America on health data and GDPR. Is that true for other countries, such as India? Personal data, particularly medical data, would be seen as very valuable.

The fundamental principle underlying all this is that none of the data leaves the control. The data controllers today—be it GPs, the NHS or the hospital—stay as they are, and any use of that data has to be approved outside of that. The noble Baroness is absolutely correct. We want to make sure that it is not used for any purposes that are not going to improve health outcomes, such as the ones we have talked about.

My Lords, could my noble friend update the House on where we are with sharing data—in particular, the outcomes of clinical trials—with our European partners?

Clinical trials are among the key areas that are vital to the life sciences industry. We are all aware that, post-Covid, we were falling a bit behind. I am glad to say that now we have improved, so that 80% of the time we are doing the clinical responses in time. We can still do better; that should be 100% but 80% is good. Most importantly, our data is the envy of the world. Just to give noble Lords an example, about 90% of our hospital records are digitised. In Germany, it is less than 1%.

My Lords, easy access to medical records on the NHS app is indeed positive and helpful to many, but of course there are parents whose abusive spouse or partner might use that sensitive clinical information to undermine legal cases of custody of dependants in the family courts. What discussions have taken place with the Ministry of Justice to assess both this risk and how to avert it?

In terms of averting it, there are some of the measures I was talking about. For instance, with facial recognition, if anyone else is seen in the picture, it disregards it, so that you cannot have someone else holding it or holding their head in to do it. If the person’s eyes are shut—if someone is trying to do it while you are asleep—it does not work either. Those safeguards are in place, as well as multi-factor authentication, so that if anyone tries to change their details by email or whatever, it comes back to them. We have worked with user groups on this. I will come back to the noble Baroness specifically on the Ministry of Justice conversations, but we are doing a lot in this space.

My Lords, digital transformation of the NHS at pace is being held back by the number of vacancies for digital roles within the NHS, particularly when many people are going over to the private sector for higher pay. What could the Government do to deal with this, particularly regarding the inflexible Agenda for Change?

The noble Lord is absolutely correct. Digital resource is well sought after. I was approving something just the other day which gives us more flexibility in that space, because sometimes you have to pay over and above to get people on it. As we all agree, this is vital to the future of what we are trying to do.

My Lords, as more people who are able to are switching between the National Health Service and private medical care for specific operations, is the Minister confident that relevant information is then transferred back to a single patient record? This will be very important if, for instance, somebody needs emergency care or is involved in an accident. Is the data all being kept in one place?

Patient records is what the federated data platform is very good at, in terms of drawing data and information from all sorts of sources into one place, so it is always in the ownership of the person, the GP or the individual place. You can make your data available to the private care providers, if you are having an operation with them, for instance, but the data always remains within the NHS and in the ownership of the person.

My Lords, following the question from the noble Baroness, Lady Bull, is the Minister confident, in all the talk about advances in technology, that data-sharing within the NHS is fit for purpose? We frequently encounter an apparent disconnect between different departments in the NHS, or different levels of care, where information which should be available to everybody is palpably not or, if it is, it is not being taken any notice of.

The noble Baroness is absolutely correct. While I think everybody would say that 90% digitisation is pretty good—it is not 100%, but it is pretty good—always making sure people are talking to each other is often the issue. I am sure we have all had examples of that. That is what the federated data platform helps to do, in terms of drawing it all in. For example, Chelsea and Westminster has put what was on 10 different spreadsheets and records into one place. We are getting a lot better at that, but is it perfect and seamless? No, there is still some work to be done.

My Lords, given the importance of medical research, for the development of advances in knowledge and for inward investment into this country in research, what consideration is being given to ensuring that patients in different disease groups can be asked whether they would consent to being informed about clinical studies that may be relevant to their condition? This is so that pre-consent to being approached is being built into the system, because we know that one of the big delays in recruitment into clinical studies is the process of case finding and consent, particularly for less common conditions and when patients are living in more rural and remote areas.

It is fair to say that we have made massive improvements. At the beginning of the year, we only had around 10% of patients with GP records available in the app but today it is 80%, which is a massive change. That allows us to do things like “Be Part of Research” which we have had hundreds of thousands of people volunteer for. We have not yet taken it to the next stage, so that you can get ahead of the curve for approvals for certain types, as the noble Baroness said, but the beauty of all this is that it gives all the opportunities for the future. As it is my last time standing up this year, I would like to finish by wishing everyone a happy Christmas.