To ask His Majesty’s Government what measures they have put in place to mitigate the risk of people being coerced into showing their confidential medical records to third parties as records become universally available through the NHS app.
The Government want people to have access to their own records. For most, online record access is beneficial but for a minority, having access could cause harm or distress. In many cases, practices can identify these patients and ensure that safeguarding processes are in place. Furthermore, to access the NHS app, users must prove their identity through the NHS log-in and, before entering their record, are advised what to do if they are being pressurised to share their information.
My Lords, the design goals for the NHS app should be to make it as easy and frictionless as possible for legitimate users to access the system, while making it as difficult and frictionful as possible for people trying to gain unauthorised access. But there is a natural tendency to focus on the first part of this equation as developers believe in the systems they build and find it hard to put themselves in the shoes of the cunning and resourceful attackers who will try to break them. Given this dynamic, can the Minister confirm that the NHS has a red team tasked with trying to identify all possible vectors of attack on the NHS app, and that the requisite resources will be put into mitigating any risks that they identify?
The noble Lord is absolutely correct on getting that balance right between the two; that is why the NHS has a safeguarding reference group on exactly this, which has been putting in protections as well as messaging patients, telling them to be aware and that they have the opportunity to redact their records if they are concerned. There are other features, such as multi-factor authentication and making sure that, for log-in with facial ID, you cannot have anyone else in the picture, to ensure that people are not being coerced. So, there are a number of measures in place, but I completely agree that we need to keep them under review with user groups checking all the way.
My Lords, with the abundance of health data available to the NHS, what future technologies are being developed to identify patterns and trends to improve patient outcomes and reduce the pressure on the NHS?
My noble friend is correct. As the noble Lord, Lord Allan, said, there are many good uses for the app and data. As we all probably know, AI is only as good as the data that underlies it. The good situation we have—it is lovely to have a story for Christmas cheer—is that our 50 million primary care and hospital records are probably second to none around the world. We are already using that to positive effect, such as for image reading and using AI for cancer scans and strokes. We can also use that data for intelligent screening and, in future, for cause and effect to find cures, hopefully one day even for dementia.
Lord Turnberg (Lab)
While it is obviously important to control confidentiality of patient data, it is vital to be able to use data for medical research. Much research, such as epidemiological research, the relationship between smoking and ill health—obesity, diabetes and all sorts of diseases—would not be known much about unless we were able to handle patient data. In the rush to control, let us make sure we can still do research with patient data.
Absolutely; it is about getting that balance correct. I welcomed the support of all sides of the House when we were introducing the FDP. A lot of work was done with noble Lords on that. The fact that the federated data platform was as well received as it was in the circumstances is because of support from all Members of the House on all sides, knowing the vital role of data in improving health outcomes.
My Lords, following the question from my noble friend Lord Allan about a red team, in the past not health data but personal financial data has been sold by subsidiaries or contractors of UK firms based abroad. I notice that we now have a deal with America on health data and GDPR. Is that true for other countries, such as India? Personal data, particularly medical data, would be seen as very valuable.
The fundamental principle underlying all this is that none of the data leaves the control. The data controllers today—be it GPs, the NHS or the hospital—stay as they are, and any use of that data has to be approved outside of that. The noble Baroness is absolutely correct. We want to make sure that it is not used for any purposes that are not going to improve health outcomes, such as the ones we have talked about.
My Lords, could my noble friend update the House on where we are with sharing data—in particular, the outcomes of clinical trials—with our European partners?
Clinical trials are among the key areas that are vital to the life sciences industry. We are all aware that, post-Covid, we were falling a bit behind. I am glad to say that now we have improved, so that 80% of the time we are doing the clinical responses in time. We can still do better; that should be 100% but 80% is good. Most importantly, our data is the envy of the world. Just to give noble Lords an example, about 90% of our hospital records are digitised. In Germany, it is less than 1%.
My Lords, easy access to medical records on the NHS app is indeed positive and helpful to many, but of course there are parents whose abusive spouse or partner might use that sensitive clinical information to undermine legal cases of custody of dependants in the family courts. What discussions have taken place with the Ministry of Justice to assess both this risk and how to avert it?
In terms of averting it, there are some of the measures I was talking about. For instance, with facial recognition, if anyone else is seen in the picture, it disregards it, so that you cannot have someone else holding it or holding their head in to do it. If the person’s eyes are shut—if someone is trying to do it while you are asleep—it does not work either. Those safeguards are in place, as well as multi-factor authentication, so that if anyone tries to change their details by email or whatever, it comes back to them. We have worked with user groups on this. I will come back to the noble Baroness specifically on the Ministry of Justice conversations, but we are doing a lot in this space.
My Lords, digital transformation of the NHS at pace is being held back by the number of vacancies for digital roles within the NHS, particularly when many people are going over to the private sector for higher pay. What could the Government do to deal with this, particularly regarding the inflexible Agenda for Change?
The noble Lord is absolutely correct. Digital resource is well sought after. I was approving something just the other day which gives us more flexibility in that space, because sometimes you have to pay over and above to get people on it. As we all agree, this is vital to the future of what we are trying to do.