Finally, the #GoldacreReview is published! (During Parliamentary Easter holidays, mid-ping-pong on the #HealthAndCareBill...)
It's 221 pages - each PDF page is a double page spread - so this could be a lo-o-o-ong [Thread].
Here goes...
It's 221 pages - each PDF page is a double page spread - so this could be a lo-o-o-ong [Thread].
Here goes...
https://twitter.com/bengoldacre/status/1512011686659575812
First point to note, in the Terms of Reference (p5), is that this is about "access to #NHSdata by #researchers, #commissioners, and #innovators" - i.e. #Planning and #CommercialReUse - so it is directly relevant to the operation of millions of people's #NationalDataOptOuts... 
"185 wide-ranging recommendations for us to explore", says @sajidjavid (p6). Gulp! Time for some coffee...
"systems that ensure #underrepresented groups are well represented" may (partly) refer to this "landmark review", which got off to a slow start:
gov.uk/government/new…
"systems that ensure #underrepresented groups are well represented" may (partly) refer to this "landmark review", which got off to a slow start:
gov.uk/government/new…
A Summary of the #GoldacreReview's 30 main Recommendations are on pages 10-17 of the main report - or in this much shorter 5-page Executive Summary:
assets.publishing.service.gov.uk/government/upl…
assets.publishing.service.gov.uk/government/upl…
OK, @bengoldacre ain't mucking about - cutting straight to the heart of the matter in Recommendations 1 & 2 (p10).
#Privacy AND #Transparency are fundamental; it's no longer enough just to say "#Trust us", and hide behind so-called '#anonymisation' techniques...
#Privacy AND #Transparency are fundamental; it's no longer enough just to say "#Trust us", and hide behind so-called '#anonymisation' techniques...
...like #pseudonymisation, which are about #linking together individuals' data over time / different contexts - making them inherently #identifiable.
N.B. For more on this, see my and others' oral evidence to @CommonsSTC last month:
committees.parliament.uk/oralevidence/9…
N.B. For more on this, see my and others' oral evidence to @CommonsSTC last month:
committees.parliament.uk/oralevidence/9…
Clear sense on #TREs too (recommendation 3) 👇
If 'any man and his dog' is allowed to build a TRE, we'll simply end up with the farcical proliferation of so-called 'safe havens' that existed pre-#caredotdata.
A small number of *mutually-accredited* TREs keeps EVERYONE honest...
If 'any man and his dog' is allowed to build a TRE, we'll simply end up with the farcical proliferation of so-called 'safe havens' that existed pre-#caredotdata.
A small number of *mutually-accredited* TREs keeps EVERYONE honest...
[N.B. @medConfidential will keep using the acronym '#TRE', as we have done for years; it is a #category term.
Different institutions may have different names for theirs - @ONS #SDS, @NHSDigital #SDE, Wales #SAIL, etc. - but they either are a #FiveSafes TRE or they aren't.]
Different institutions may have different names for theirs - @ONS #SDS, @NHSDigital #SDE, Wales #SAIL, etc. - but they either are a #FiveSafes TRE or they aren't.]
And again with #privacy PLUS #transparency; though public #trust requires more than just "logs", i.e. registers.
People should know how THEIR data is used.
If you're building a better, safer infrastructure with full #audit capabilities, telling them should be straightforward...
People should know how THEIR data is used.
If you're building a better, safer infrastructure with full #audit capabilities, telling them should be straightforward...
...as we have laid out since 2014, and pretty much every year since then:
medconfidential.org/2014/what-is-a…
Plus there are other applications as well, e.g. trustworthy '#DataInputCertificates':
medconfidential.org/2020/analysis-…
medconfidential.org/2014/what-is-a…
Plus there are other applications as well, e.g. trustworthy '#DataInputCertificates':
medconfidential.org/2020/analysis-…
There's a BIG bugbear here (recommendation 5) 👇 maybe even a hornets' nest.
Much attention has been paid to central collection, but TENS OF MILLIONS of patients' #GPdata is collected in various ways, 'out the side door'.
Practices in England should currently be doing an...
Much attention has been paid to central collection, but TENS OF MILLIONS of patients' #GPdata is collected in various ways, 'out the side door'.
Practices in England should currently be doing an...
...#audit of ALL of their 'data sharing', to ensure they will be compliant with the #NationalDataOptOut on 31 July 2022...
digital.nhs.uk/services/natio…
...so the 'mapping' bit *should* be done within 3 months.
The 'shutting down' bit will clearly take a while longer.
digital.nhs.uk/services/natio…
...so the 'mapping' bit *should* be done within 3 months.
The 'shutting down' bit will clearly take a while longer.
👏👏👏 Another crucial - if oft-abused, especially by Government - principle in recommendation 6: #open ways of working!
#Secrecy and #exclusivity have no place in health, which should be for the good of all. It's what's in the dark corners that is corrosive to #trust.
#Secrecy and #exclusivity have no place in health, which should be for the good of all. It's what's in the dark corners that is corrosive to #trust.
The next section, recommendations 7-11, digs deeper into "Modern, #OpenWorkingMethods for #NHSdata" - though I don't propose to go through each one; some do start to get into the detail, which is well worth a read.
A couple of highlights: all code paid for by #taxpayers...
A couple of highlights: all code paid for by #taxpayers...
...given any money the state spends is ours, should be shared openly, with docs.
Plus an important distinction between #OpenCode (how you do it) and #OpenData, i.e. what you've done - which should ultimately be #published - and what you've done it to - which probably shouldn't.
Plus an important distinction between #OpenCode (how you do it) and #OpenData, i.e. what you've done - which should ultimately be #published - and what you've done it to - which probably shouldn't.
Similarly sensible on "Data #Curation and #KnowledgeManagement" (12-15) and "#NHSDataAnalysts" (16-21).
Some ideas, like a "curated national #OpenLibrary" of NHS curation & analyst #code/#methods do make you wonder why the £billions spent on IT haven't already delivered this...
Some ideas, like a "curated national #OpenLibrary" of NHS curation & analyst #code/#methods do make you wonder why the £billions spent on IT haven't already delivered this...
Just leaving this one here:
Oh, boy! #Governance.
And Ben leads off with a doozy 👇
This may sound like a boring paper exercise, but it's where all the backroom #politics and #empire-building lies. Some already claim to be doing this; their lack of real progress tells a different tale.
One to watch...
And Ben leads off with a doozy 👇
This may sound like a boring paper exercise, but it's where all the backroom #politics and #empire-building lies. Some already claim to be doing this; their lack of real progress tells a different tale.
One to watch...
Recommendation 23 doesn't beat around the bush much: "ONLY AFTER" being something #NHSX & @NHSEngland have never understood, cf. #GPdataGrab last year.
"Exclusive" commercial agreements is a bit of a red herring - *exclusively* might be closer to the mark, re. #value...
"Exclusive" commercial agreements is a bit of a red herring - *exclusively* might be closer to the mark, re. #value...
...as there are plenty of #BusinessModels that don't rely on #exclusivity in order to be #exploitative.
Another precursor to that "frank public conversation" is the NHS getting a lot less naïve about #commercial behaviour - and for Ministers to stop taking the public for fools.
Another precursor to that "frank public conversation" is the NHS getting a lot less naïve about #commercial behaviour - and for Ministers to stop taking the public for fools.
A feint at #Planning - of which #PerformanceManagement" is just one component, BTW - in recommendation 24.
It'll be interesting to see how some of the members of the Review's 'Senior Stakeholder Group' manage to mangle this one in #DataSavesLivesII...
It'll be interesting to see how some of the members of the Review's 'Senior Stakeholder Group' manage to mangle this one in #DataSavesLivesII...
Setting aside that the "problem" is simply the #law - one is #DataController by matter of #fact and #action, not designation - it is quite clear @NHSEngland thinks it should be the "one national organisation" mentioned in recommendation 25.
This is a BIG problem, not least...
This is a BIG problem, not least...
...because of its take-over of the #statutory #independent safe haven, @NHSDigital, but also because @NHSEngland - which, not actually providing any #care, and only recently a data controller by virtue of #COPI - is one of the largest #customers for patients' data....
That @NHSEngland has also been deliberately and evasively #untransparent* about its (and others') use of @PalantirTech for its #DataStore, and still refuses to talk openly about the intended #Planning & #Research uses of so-called #SharedCareRecords...
__
*whatdotheyknow.com/request/commun…
__
*whatdotheyknow.com/request/commun…
...shows it simply cannot be #trusted - though I'm sure its officials would protest otherwise.
(I'm also not sure Ben isn't describing what #PAG is already supposed to be doing with #IGARD for GP data.)
(I'm also not sure Ben isn't describing what #PAG is already supposed to be doing with #IGARD for GP data.)
"Build impatiently, but incrementally" (recommendation 27 👇) is a FAR preferable to a '#MoveFastAndBreak things' mentality - and a much more sensible approach than the sort of 'big bang', top-down reorganisations the NHS has previously...
Ah! Houston, we may have a problem.
Ah! Houston, we may have a problem.
For those who've been paying close attention, recommendation 29 skewers a bunch of bad behaviour that has persisted far too long; from the information intermediaries to various fiefdoms, and self-congratulatory funding bodies that deliver no usable infrastructure. #GoodTREsWork
After those 30 recommendations, a bit of waxing lyrical 👇
A collective duty - a noble goal, even... if only some of the institutions weren't so clearly still so self-interested.
A collective duty - a noble goal, even... if only some of the institutions weren't so clearly still so self-interested.
N.B. In case you were wondering, the 30 high-level recommendations are split into more detailed pieces of advice, section by section. So, for example, the 6 for 'NHS data analysts' are broken down into 28 specific recommendations in the 'Modernising NHS Service Analytics' chapter
Rather than a blow-by-blow, some thoughts on Chapter 1 - in which, given its thrust, I'm surprised to see no mention of @ukfci* <waves>, though I see it does appear later.
(Nothing at all on #FutureNHS**, I see...)
*facultyofclinicalinformatics.org.uk
**england.nhs.uk/futurenhs-plat…
(Nothing at all on #FutureNHS**, I see...)
*facultyofclinicalinformatics.org.uk
**england.nhs.uk/futurenhs-plat…
Ben's points on #professionalisation, recruitment / retainment and career progression are well made - not least because without a recognised #profession from which one can be *excluded* for bad practice / unlawful behaviour, much talk of #DataEthics is just so much hot air.
The #OpenLibrary is a no-brainer. As I pointed out just recently re. #OpenSource*, well-managed directories would avoid #duplication and wasted resource, and help spread #GoodPractice much faster.
Something similar for #OpenContracts might help...
__
*
Something similar for #OpenContracts might help...
__
*
https://twitter.com/EinsteinsAttic/status/1504451109972238336
Good example of the non-obvious #complexity around NHS service analytics (pp21-22) for #WaitingLists, which will no doubt remain a hot topic* of acute public interest in the months and years ahead.
__
*Indeed, from earlier today:
__
*Indeed, from earlier today:
https://twitter.com/EinsteinsAttic/status/1512101531776081924
That #NHSanalysts are classified as "admin/clerical" rather than "scientific/clinical" does seem increasingly anachronistic. For without rigorous, #professional #accreditation how will the #TREs do '#SafePeople'?
(How much of the £200m is @NHSEngland planning to spend on this?)
(How much of the £200m is @NHSEngland planning to spend on this?)
10,000 people working in #analytics across the NHS vs 17,000 across the rest of Government does start to make you wonder why the centre is so obsessed with issuing endless 'strategies' when it could be supporting thriving communities of good practice, with real #practical focus.
A bit of history on #ReproducibleAnalyticalPipelines for those who've not come across 'em before:
gss.civilservice.gov.uk/reproducible-a…
Developed by @GDSteam, working with @DCMS on official #statistics, #RAP has been shown to improve #auditability, #quality, #speed and #KnowledgeTransfer...
gss.civilservice.gov.uk/reproducible-a…
Developed by @GDSteam, working with @DCMS on official #statistics, #RAP has been shown to improve #auditability, #quality, #speed and #KnowledgeTransfer...
"#Analysts do not operate in a vacuum" is dead right, as is Ben's identification of the 'air gap' of #knowledge and #understanding between - and often within - #management, not to mention the #political layer! (This is, of course, far from unique to health.)
While much of the NHS (middle) management layer runs on Excel, PowerPoint, Teams and shiny 'dashboards', (too) often the real data work gets done by underpaid, unrecognised analysts - and then gets passed off by or claimed as the success of others.
Sound familiar? 🤔
Sound familiar? 🤔
Time for a pause.
N.B. In the interests of transparency, our written submissions to the Review are here:
medconfidential.org/wp-content/upl…
medconfidential.org/wp-content/upl…
We were one of six organisations that wrote, back in March 2021; we didn't have an interview.
N.B. In the interests of transparency, our written submissions to the Review are here:
medconfidential.org/wp-content/upl…
medconfidential.org/wp-content/upl…
We were one of six organisations that wrote, back in March 2021; we didn't have an interview.
On with Chapter 2: 'Modern, #OpenWorkingMethods for NHS data analysis' - a shift that will require more profound changes in #culture and #practice for some bodies than others; #funders too.
Open sharing of #code (not personal data) is eminently #practical, not "philosophical...
Open sharing of #code (not personal data) is eminently #practical, not "philosophical...
...political or ideological" and, along with the adoption of approaches like #RapidAnalyticalPipelines, could pay HUGE dividends - not least learning from data management and analysis code #challenges that have been overcome in other areas.
No more '#HealthExceptionalism'!
No more '#HealthExceptionalism'!
Also no more #blackbox analysis "full stop"; "everything the NHS buys should be open for #scrutiny," says a senior member of a prominent NHS analytics team.
What's the use of #dashboards if the #codelists & #logic behind them aren't available for #evaluation, #checking & #reuse?
What's the use of #dashboards if the #codelists & #logic behind them aren't available for #evaluation, #checking & #reuse?
#DigitalInfrastructure is "open code and skilled teams" in the modern era, not "beige boxes of computer equipment" - nor is it a bunch of academic papers about #pilots that won't last, or posting nothing but free text descriptions and claiming your work is "on @github" 🤦♂️😡
Like everything, #OpenWorking is not without its challenges and provisos - but it's not like there isn't already an open source, community-led handbook for #reproducible, #ethical and #collaborative data science, #TheTuringWay:
turing.ac.uk/research/resea…
turing.ac.uk/research/resea…
Being able to see "#what people have done, seeing the #differences, #understanding them, and understanding how #sensitive the finding is to each difference" is crucial for #validation and #trust - something national bodies have struggled to do, not only during COVID but before.
Gotta watch out for the hypocrites and con-artists too...
Good points (again) on #TREs and sharing #OpenCode, not #PersonalData:
"Writing non-disclosive code should be an absolute requirement for those requesting access to NHS patient data", and all open code must be properly checked for disclosiveness before leaving the TRE.
"Writing non-disclosive code should be an absolute requirement for those requesting access to NHS patient data", and all open code must be properly checked for disclosiveness before leaving the TRE.
There's a bunch more interesting detail in the 44 (yes, 44!) recommendations in this chapter - on #ResearchSoftwareEngineering; tackling regressive #funding models; professional #training, #recognition and #compensation; #accountability, #audits and #contractual requirements...
...though given the past and current performance (and excuses) of some of the bodies named on not-unrelated matters, e.g. of #InformationGovernance, I shan't be holding my breath.
I'm always happy to be proved wrong, of course!
I'm always happy to be proved wrong, of course!
As well as for @MHRAgovuk, and funders like @UKRInews and the newly re-named-but-not-re-acronymed @NIHRresearch, there are also a few direct challenges for the ex-NHSX and some of its 'centres' - it'll be interesting to see how these are handled in #DataSavesLivesII...
Two more chunks before bed, and they're biggies: Chapter 3, "#Privacy and #Security" and Chapter 4, "#TrustedResearchEnvironments" - which comes with another 57 specific recommendations...
One quibble on "2 techniques to protect #privacy"; the NHS doesn't rely exclusively on #pseudonymisation and #contracts - there's also #consent, and (hard-fought-for) #dissent, i.e. opt-outs.
Absent sufficient #safeguards and #trust, patient #choice *is* a privacy #control.
Absent sufficient #safeguards and #trust, patient #choice *is* a privacy #control.
Refreshing to see the #GoldacreReview discuss #pseudonymisation realistically; all too many still hide behind it and terms like '#anonymisation' and '#depersonalised data' to obscure their use of what is still #PersonalData.
The "legal arrangements" aren't actually unclear...
The "legal arrangements" aren't actually unclear...
..since UK #GDPR / #DPA2018 makes it clear that #pseudonymised data *is* #PersonalData.
That some are still using @ICOnews' out-of-date 2012 Code of Practice to justify their processing could be simply addressed; just republish the PDF with 'Withdrawn' stamped on the cover!
That some are still using @ICOnews' out-of-date 2012 Code of Practice to justify their processing could be simply addressed; just republish the PDF with 'Withdrawn' stamped on the cover!
Good we're not the only ones pointing to the "large, poorly documented and poorly understood network of data disseminations out of local organisations" - GP practices (CPRD, OPC), pharmacists (Pharmacy2U), hospital Trusts (RoyalFree/DeepMind, Sensyne)...
medconfidential.org/for-patients/m…
medconfidential.org/for-patients/m…
...with #dissemination, greater #access to data and #risk to patients' #privacy *has* been (and will remain) a dichotomy. Hence the need for #GoodTREs ONLY.
And it's not like this hasn't been understood for years:
And it's not like this hasn't been understood for years:
https://twitter.com/EinsteinsAttic/status/1509203412310798340
Some helpful concrete examples on #reidentification, e.g. for women who've given birth in an NHS hospital, or people in the public eye. A series of events - or even just one - containing details people readily share providing the key to a person's entire medical history.
The bigger the dataset, the more attractive a target it is for malicious or malign actors (not forgetting that some may be #authorised users, cf. #CreepySingleDoctors) and for cyberattack - and the higher the risk of individuals being positively #identified...
...which is why #pseudonymisation - although sensible, useful and necessary - really only deals with the very narrow risk of "accidental viewing".
Claims there have been no specific cases of #misuse by medical researchers are bollocks; check theysolditanyway.com for details:
Claims there have been no specific cases of #misuse by medical researchers are bollocks; check theysolditanyway.com for details:
One particular niggle: @NHSDigital should not only be able to #accept dataset requests "as code rather than conversation, it should also #publish its collections as such. (Having to reconstruct the #GPDPR #codeslist from PowerPoint descriptions was really no fun.)
Gotta chuckle at "some non-technical staff expressed substantial enthusiasm about the possibilities of" #HomomorphicEncryption!
(I hear much the same in other discussions, from those who also don't appear to know their #DifferentialPrivacy #epsilon from their arsehole.)
(I hear much the same in other discussions, from those who also don't appear to know their #DifferentialPrivacy #epsilon from their arsehole.)
I'll just leave this one 👇 here for you to ponder, noting that there is literally no way to quantify "#commonplace".
#TRE-only, please!
#TRE-only, please!
This one too...
"everyone has a secret laptop" 😱😱😱
"everyone has a secret laptop" 😱😱😱
Only three recommendations in this chapter.
After reading it, the first two are self-explanatory - although #dissemination "should not expand" should really be "should be ended as rapidly as possible"...
After reading it, the first two are self-explanatory - although #dissemination "should not expand" should really be "should be ended as rapidly as possible"...
...but the third seems unnecessarily complicated. Far simpler to just stick to what the #law actually says, not how some like to (mis)interpret it - i.e. individual-level data linked with pseudonyms is #PersonalData.
Full stop.
Full stop.
Onto #TrustedResearchEnvironments, Chapter 4, which @bengoldacre rightly notes have been promised in multiple previous strategies and reviews since 2014. Let's hope @NHSEngland and other vested interests don't kneecap things again this time....
I wonder what "black box" services could be referring to?
(Actually I don't, nor will anyone following my stream - but freshly-minted Profs writing Ministerial reviews have to be a tad more diplomatic!)
(Actually I don't, nor will anyone following my stream - but freshly-minted Profs writing Ministerial reviews have to be a tad more diplomatic!)
Hmm. Three national #TREs? Is that just for England, or does it include Scotland, Wales and NI as well (i.e. 3 per nation)? Whattabout #genomic data, and #imaging?
Completely agree there should be the smallest number possible, and that dodgy ones should be shut down...
Completely agree there should be the smallest number possible, and that dodgy ones should be shut down...
...far less convinced about ones at (every) #ICS level, i.e. up to 42 "satellite TREs", when the 'functional unit' will surely be the #SharedCareRecords that already cover more than a single #ICS. (Noting @NHSEngland's reluctance to get out in front of the #IG issues with this.)
@NHSEngland While there is some mention of #genomic and #imaging data (and #AI) later, I do think the first two at least need to move in step with the national #TRE - not least for the mutual #accreditation and aligned #IG necessary both for #linkage and public #trust.
@NHSEngland Good to see some actual #operationalisable principles of what TREs are - and what they aren't! - given the largely content-free, hand-wavy blogs* and PowerPoints** that NHSx (@NHSEngland/@DHSCgovuk) has thus far put out.
__
*nhsx.nhs.uk/blogs/principl…
**england.nhs.uk/aac/wp-content…
__
*nhsx.nhs.uk/blogs/principl…
**england.nhs.uk/aac/wp-content…
Neatly put, Pete:
On "user stories", as a patient / expert member of the
public, I don't just want to "see what uses of NHS data have been approved" - I want to know how MY data has been used.
If a #TRE using #pseudonyms can't deliver this, it ain't working properly.
public, I don't just want to "see what uses of NHS data have been approved" - I want to know how MY data has been used.
If a #TRE using #pseudonyms can't deliver this, it ain't working properly.
As a privacy campaigner, I want to know that every use of NHS patients' and social care users' data is #consensual, #safe and #transparent - not least so I can get on with other things...
And, given access to data via #TRE is supposed to be open to everyone and every project that qualifies, where are the user stories for, e.g. #PharmaMarketers? You better believe they're gonna keep wanting the data they already get!
There's a whole chapter on #governance to come, but it is notable how some platforms currently in use fail as #TREs at the first hurdle - not because the tech itself is shonky, but because of lack of #transparency, clear and evident good governance and even outright #secrecy.
[Query, especially given Pete's quote above: if its #IntegratedDataPlatform is to "meet the needs of internal users at @ONS" then how exactly does it meet the 'open to all' criterion for a proper #TRE, rather than a #DAE?]
#SAIL/UK-SERP in Wales gets quite a bit of praise, less so what's going on in Scotland. #eDRIS certainly stepped up during pandemic, but there are real problems at sub-national scale, e.g. with #DataLoch:
theferret.scot/data-loch-to-g…
theferret.scot/named-102-gp-p…
theferret.scot/data-loch-to-g…
theferret.scot/named-102-gp-p…
Realistic appraisal of the wide variety of "Diverse datasets, diverse users" - I imagine many people reading the list would be surprised to see what "#Planning and #Research" actually covers...
For a bit more insight into the "rapid informative
overview of recent #investments" in #TREs that page 119 describes as "challenging, even with direct questions", you might want to cast your eye over the responses linked at the bottom of this web page:
hdruk.ac.uk/news/response-…
overview of recent #investments" in #TREs that page 119 describes as "challenging, even with direct questions", you might want to cast your eye over the responses linked at the bottom of this web page:
hdruk.ac.uk/news/response-…
Awk! Just seen the time ☹️
As noted above, there are 57 specific recommendations in this chapter; some impacted by @NHSEngland's take-over of the statutorily independent @NHSDigital, not least on timeframes; one potential 'cart-before-horse'; not really enough on how data...
As noted above, there are 57 specific recommendations in this chapter; some impacted by @NHSEngland's take-over of the statutorily independent @NHSDigital, not least on timeframes; one potential 'cart-before-horse'; not really enough on how data...
...does or doesn't make it into a #TRE, i.e. respecting patients' #dissent. Maybe that'll be covered elsewhere, but it's not right to assume that 'TRE-only' will assuage everyone's concerns - after all, it's really only a third(-and-a-bit) of #consensual, #safe and #transparent.
Rapid fire: "NO SPECIAL CASES!" 👍👍👍
If NHSE won't even put out #IG red lines, why trust it to propagate a "#ServiceWrapper" it itself seems to want to avoid?
Sorting out #EmpireBuilders probably doesn't mean putting one in charge; it should definitely answer #FOIs, though...
If NHSE won't even put out #IG red lines, why trust it to propagate a "#ServiceWrapper" it itself seems to want to avoid?
Sorting out #EmpireBuilders probably doesn't mean putting one in charge; it should definitely answer #FOIs, though...
#AI's already been given too much money, with very few usable results; focusing on "foundational #infrastructure for conventional data analysis" is a much higher priority - and will end up helping with ML/DL (and whatever comes after) in the longer run...
...and nice to wrap up (for now) on a neat two-side fisking of the common whines, gripes and objections to #TREs - many of which reek of "but... but... I'm a special case!"
#GoodTREsWork:
medconfidential.org/2021/good-tres…
#GoodTREsWork:
medconfidential.org/2021/good-tres…
OK, morning calls done. Time to pick up at Chapter 5 of the #GoldacreReview, "#InformationGovernance, #Ethics and #Participation", over (what's likely to be a long) lunch...
Lots of complexity here. Also dark corners rarely discussed, which #TREs alone cannot address.
It's one thing to (legitimately) complain about delays, but characterising #safeguards against actual bad practice as 'barriers' when bad apples aren't punished, means everyone suffers
It's one thing to (legitimately) complain about delays, but characterising #safeguards against actual bad practice as 'barriers' when bad apples aren't punished, means everyone suffers
Important to bear in mind that TREs must cover all Five Safes; well-managed #SafeSettings, #SafeData and #SafeOutputs will do a lot, but that still leaves #SafeProjects and #SafePeople - which is where many of the tricky #cultural and #ethical issues still reside...
Hmm. "There is an incorrect belief that patients are against data-sharing" - really? Who says that?
It is an indisputable #fact that *some* patients are against *some* types of data-sharing, and any 'solution' that fails to attend to this will inevitably exacerbate the problem.
It is an indisputable #fact that *some* patients are against *some* types of data-sharing, and any 'solution' that fails to attend to this will inevitably exacerbate the problem.
So if the Review cites #NHSx's 'IG Framework for Integrated Health and Care' 👇 why is it that Framework, which @NHSEngland and @DHSCgovuk have been working on since 2019, makes literally ZERO mention of 'Journey 3' (Planning) and 'Journey 4' (Research)?
nhsx.nhs.uk/information-go…
nhsx.nhs.uk/information-go…
It is indeed the case that grown-up, properly informed discussions on #monopolies, #CommercialUse, #PerformanceManagement, and #controllership are long overdue!
There's plenty of evidence on the first three, and @NHSEngland's take-over of the independent statutory #SafeHaven...
There's plenty of evidence on the first three, and @NHSEngland's take-over of the independent statutory #SafeHaven...
...(on which the Review is mute) is about to throw a spanner in the works on the fourth.
'One controller to rule them all' could be described as more "efficient" - but when that entity is itself a major consumer of patients' data, #public and #professional concerns will persist.
'One controller to rule them all' could be described as more "efficient" - but when that entity is itself a major consumer of patients' data, #public and #professional concerns will persist.
The simple fact is that those providing care will ALWAYS be #DataControllers, because the data is being created by them in the course of their #provision of care to their patients - or shared with them directly in #confidence. And, as controllers, with legal and professional...
...obligations, it is those providing care who have a duty to ensure their patients' #confidence, #rights and #choices are being respected.
If in making a #copy for someone else to #control you ignore or undermine ANY of these things, you'll have problems.
If in making a #copy for someone else to #control you ignore or undermine ANY of these things, you'll have problems.
On a practical point, that some 'have to' contact thousands of practices for permissions is (a) an egregious failure of @NHSEngland, which could have resourced a #TRE way back in 2014, and (b) somewhat a failure to understand how the GP IT suppliers and @NHSDigital (can) work...
...as for a well-funded national-scale programme with fully #consented participants, why did no-one think to get EMIS, TPP and (then) INPS to implement a 'consented release' function?
Which might've helped avoid some of the other messes described too!
Which might've helped avoid some of the other messes described too!
A bit of extra context for the (entirely lawful, legitimate) 'LAUNCHES QI' study:
1) That it needed #s251 support means it was processing identifiable patient data without consent.
2) On the timescales described, the approvals they were "still waiting for" were during pandemic
1) That it needed #s251 support means it was processing identifiable patient data without consent.
2) On the timescales described, the approvals they were "still waiting for" were during pandemic
Before welcoming initiatives like the Health & Care #InformationGovernance Panel:
nhsx.nhs.uk/information-go…
and its #IGPortal (much of which it didn't create, but inherited/took over):
nhsx.nhs.uk/information-go…
maybe a net assessment of #NHSx's actual contribution should be made?
nhsx.nhs.uk/information-go…
and its #IGPortal (much of which it didn't create, but inherited/took over):
nhsx.nhs.uk/information-go…
maybe a net assessment of #NHSx's actual contribution should be made?
It's true that "new #regulatory bodies and #checks have been introduced with good intentions", but equally true that #necessary and #effective bodies (NIGB, IAG) have been abolished - only to be reinstated (NDG, PAG) at a later date, after much effort and more erosion of #trust.
The draft NHS data strategy (#DataSavesLives) is actively misleading when it talks about "sharing #anonymous data for the benefit of the systems as a whole".
If DHSC cannot agree that #pseudonymised data is not anonymous, as this Review clearly explains, then what is the point?
If DHSC cannot agree that #pseudonymised data is not anonymous, as this Review clearly explains, then what is the point?
Again with the "assumption of maleficence that everyone who wants access to data has a nefarious intent"? It's just not true - for the vast majority - BUT if you won't deal with systemic flaws and punish 'bad apples' when discovered, then it's legitimate users of data who suffer.
OK, we're quite a way into public attitudes now and there's still no meaningful discussion of #dissent. Just talking about #consent isn't nearly enough; opt-outs are the one #control that allows patients to express their (admittedly not very granular) #choice.
We predicted...
We predicted...
...the effect of #GPDPR back in 2016, based on (amongst other things) research commissioned by @wellcometrust that led it to set up @Patient_Data*.
The Review agrees #TRE-only won't solve all the problems, so why ignore this mechanism?
__
*not published on UPD's own site 🤔
The Review agrees #TRE-only won't solve all the problems, so why ignore this mechanism?
__
*not published on UPD's own site 🤔
On #caredotdata, for example, it was not just that the programme was appallingly and #misleadingly #miscommunicated; the opt-outs were made deliberately confusing and difficult - something that *still* hadn't been addressed by the time #GPDPR was announced.
The more difficult...
The more difficult...
...you make it for patients to exercise their choices, the less #trustworthy you appear; #trust being in the eye of the beholder.
And repeating the same action expecting a different result BEFORE YOU'VE CLEANED YOUR ACT UP was always a recipe for disaster.
And repeating the same action expecting a different result BEFORE YOU'VE CLEANED YOUR ACT UP was always a recipe for disaster.
Similarly, relying on "detailed logs of all activity [being] disclosed for external scrutiny" doesn't go far enough.
People want to know how THEIR data has been used - and if it #demonstrably HASN'T been used by those they have concerns about, then they're less likely to opt out
People want to know how THEIR data has been used - and if it #demonstrably HASN'T been used by those they have concerns about, then they're less likely to opt out
I *was* an expert witness in some of the #CitizensJuries described, and while I can confirm #OpenSafely was broadly well received, key aspects of the other two - @NHSEngland's #untransparent @PalantirTech-driven #DataStore in particular - certainly were not!
There are indeed '#monopolies', some of which are quite astonishing, e.g. #IQVIA and hospital prescribing.
The Review is right to call for "no special cases", because it is precisely the #EmpireBuilders who are already lobbying (and manoeuvring) not to have to be in the #TRE.
The Review is right to call for "no special cases", because it is precisely the #EmpireBuilders who are already lobbying (and manoeuvring) not to have to be in the #TRE.
It's also correct that #PerfomanceManagement is to #Planning, as #CommercialReuse is to #Research.
Such concerns are legitimate, given "near real time intelligence" on "provider performance" have been @DHSCgovuk & @NHSEngland's stated goal for years:
data.parliament.uk/writtenevidenc…
Such concerns are legitimate, given "near real time intelligence" on "provider performance" have been @DHSCgovuk & @NHSEngland's stated goal for years:
data.parliament.uk/writtenevidenc…
It may be "unhelpful" to describe patients' data as being "sold", but how else do you describe a #transaction where #money changes hands, and an #asset of value (i.e. #copies of patients' identifiable data) is #transferred under #contract?
The #price charged is a separate issue.
The #price charged is a separate issue.
Where we certainly agree is that the NHS is unlikely to get substantial revenue from direct sales of NHS patients' data. And, in a TRE-only world, negotiations around #value - which resides more in the #insights generated - can be made far more #openly and #consistently.
I don't understand the obsession with "exclusive" deals; indeed, I'd like to see evidence of them.
Data is non-rivalrous, and even @Google @DeepMind and @SensyneHealth didn't sign deals #preventing NHS Trusts from working with others. (Not that @DHSCgovuk understood that!)
Data is non-rivalrous, and even @Google @DeepMind and @SensyneHealth didn't sign deals #preventing NHS Trusts from working with others. (Not that @DHSCgovuk understood that!)
On the variability across GP practices providing their patients' data to third parties without explicit #consent; if that data was only #pseudonymised, then since May 2018 (without s251 support) they would have been entirely and #lawfully correct to deny it.
I'm also not an expert on #PPIE, but have participated in several of the examples given. This sort of involvement is indeed vital, but it is not a #panacea - even carefully chosen panels rarely arrive at a 100% consensus - so while "Everyone counts", so does everyone's #choice.
'Only' 29 specific recommendations in this chapter, the first for a 'single form' for data access permissions. I would've thought the first practical step would be to insist on a single (project) #identifier; we give 'em to patients to help navigate complex pathways, after all!
IG4 is a bit 'Who Watches the Watchmen?', and the map in IG5 could take a while* - though worth it - and I think two-track approval for #TRE access vs copying data...
__
*Here's one @reformthinktank did, just for the regulations around data-driven tech:
reform.uk/research/data-…
__
*Here's one @reformthinktank did, just for the regulations around data-driven tech:
reform.uk/research/data-…
..is reasonable, as long as #consensual and fully #transparent to the individual is done too.
"retrospective changes to current opt-outs should be handled with great caution" could be more prophetic than @bengoldacre thinks; dissent is not just via #NDOOs but #Type1s as well.
"retrospective changes to current opt-outs should be handled with great caution" could be more prophetic than @bengoldacre thinks; dissent is not just via #NDOOs but #Type1s as well.
I've said before you don't need to change #definitions (except the currently broken, badly-abused ones) or the #law; #pseudonymised data, i.e. the only stuff worth doing research on, is #Personaldata. Full stop.
Time everyone just accepted what's been true for years.
Time everyone just accepted what's been true for years.
Don't touch the #DigitalEconomyAct (IG14) re. health data until stuff that was promised years before it is fully in place - which includes things like 'one strike and you're out' sanctions, which should not just be limited to reidentification offences.
Yes to mapping and publishing all the flows of data (IG16); ditto the DPIAs, DSAs, etc. (IG17) - the real question being, why didn't @DHSCgovuk and @NHSEngland insist on this being done YEARS ago?
Oh, and don't forget to shut down the flows that haven't followed the rules!
Oh, and don't forget to shut down the flows that haven't followed the rules!
@DHSCgovuk @NHSEngland 'One controller' runs the risk of becoming a car crash; there's *already* an #independent #statutory #SafeHaven (which is the only reasonable candidate for IG20) but it's in the process of being taken over by what is potentially one of the biggest #consumers of patient's data 🤦♂️
@DHSCgovuk @NHSEngland Optimistic to think the 'Centre for Improving Data Collaboration' in its current form will help with either the #power imbalance or the detail of #commercial deals. Just look at what's happened on its watch! (We'll be writing something in due course on how this might be unstuck.)
@DHSCgovuk @NHSEngland [Nearly there! Now at page 90 out of 112, or 178 out of 221. More later...]
OK. Final stretch, picking up at Chapter 6, "Data #Curation" (p178) - which, as the summary points out, is something that has been "historically neglected".
Some might be tempted to skim over this section, which would be a shame given data #preparation - as 'unsexy' as it may...
Some might be tempted to skim over this section, which would be a shame given data #preparation - as 'unsexy' as it may...
...seem is actually the vast bulk - the 'hidden part of the iceberg' - of what needs to be done for any #meaningful analysis to take place.
Not all data is the same! And data collected or created in the course of providing #care is not...
Not all data is the same! And data collected or created in the course of providing #care is not...
...and never will be like data created explicitly for research/analysis. There's a really excellent section on 'How raw #NHSdata is turned into a usable [research] dataset' which gives a feel for the complexity - incidentially explaining why such #curation is unamenable to #AI.
[In passing, p179 also identifies a category of data not really covered by direct #care, #research OR #planning - i.e. #payments - issues around which (e.g. invoice reconciliation) have been 'booted into the long grass' with perpetually-renewed s251 support for many years.]
One of the recurring challenges laid down by this Review is will the centre stop focusing on "low-lying fruit" and "unrealistic" promises and instead focus on supporting and resourcing the #systemic work and real #CultureChange that will pay dividends in the medium- to long-term?
The solutions here are similar to those suggested elsewhere: #open ways of working, #libraries of re-usable work, invest in #people, #teams & #knowledge not #ShinyObjects or #BlackBoxes - with the added bonus that, if you do, you'll be helping solve problems like #interop too...
N.B. We heard the crazy talk about billions to 'clean up NHS data' too; maybe wiser heads or circumstance have prevailed.
For if you're going to spend billions then why not invest it in the true #infrastructure of the NHS? i.e. its #people.
For if you're going to spend billions then why not invest it in the true #infrastructure of the NHS? i.e. its #people.
As throughout, the examples given are well chosen and clearly worked through - whether about #hypertension or #ethnicity, as in this chapter, it's refreshing to read something written by people who clearly know what ALL the words mean!
Interesting couple of references to the #computerisation of General Practice in the 1990s (96% were by '96) which begs more than a few questions about what has changed since. Maybe @NHSEngland should understanding the underlying lessons of that model before it 'has another go'?
Ouch! I wonder with how many this description 👇 of data management rings true?
That said, I'm more sceptical about '#CodeAsConversation' in ALL cases. It has its place, but we're quite a way from being able to automate checking the #semantics and #syntactics of machine-readable DSAs. (Especially when you throw political / policy imperatives into the mix...)
#Codelists aren't like #catalogues, and neither of them are like #SQLqueries. One reason why its all the more important we get each of the basic #BuildingBlocks right, and start right now. Eight years after #caredotdata, we'd made very little progress; where will we be in 8 more?
When each of four commonly-used datasets can miss between 25% and 50% of all myocardial infarction events* (p192), spaffing another quarter-£billion up the wall of your #AILab starts to look a lot like mistaken priorities...
__
*Heart attacks.
__
*Heart attacks.
There's a litany of wasted money and wasted effort on these pages, about which the Review is (mostly) diplomatic, "in order to maintain a positive focus on future work".
This is all right and proper but, when the time comes, the public should be able to expect that those who...
This is all right and proper but, when the time comes, the public should be able to expect that those who...
...failed to work openly, collaboratively and constructively, or who hoarded or empire-built should not be re-funded.
"Investment" is only #investment if it delivers a return.
"Investment" is only #investment if it delivers a return.
Interesting on 'Why #libraries are better than standard #variables' - an argument I can imagine would rage on and on in certain circles!
But there's no denying that this can be devastatingly true:
But there's no denying that this can be devastatingly true:
Interesting also, but hardly surprising, that #ClinicalInformatics should be far better resourced in the US - where data is, of course, used "to manage complex reimbursement systems for private insurers".
Just leaving this one here:
Really, really important bit: rather than pipe-dreams like "separating the data layer from the application layer" (see p199-200 for why this is 'monumentally ambitious') focusing on interoperable code for data curation "approached pragmatically and productively, in a part-wise...
...fashion" will actually help with wider issues of #interoperability, and deliver plenty of useful and (re)usable stuff along the way.
Conversely, it's an #AcidTest:
Conversely, it's an #AcidTest:
18 specific recommendations in this chapter, several reiterating those made elsewhere - adopting #RAP, open working methods, in #TREs, with research engineer support, and open libraries.
Cur6: "Ensure national programmes lead by example" *should* be the case, but deserves...
Cur6: "Ensure national programmes lead by example" *should* be the case, but deserves...
...a degree of real caution, given the choices *some* national bodies and national programmes still seem to be making.
'Exemplary' is, unfortunately, not always good!
'Exemplary' is, unfortunately, not always good!
Cur11 once again crashes into the on-the-ground reality of #SharedCareRecords; the ToR of the Review may have put #ShCRs out of scope, but when you advocate "local TREs", you are effectively talking about the same thing.
Cur15 seems a tad dogmatic. And comes from someone who developed a system that works like that.
"Allow that all dataset requests can be made in code" might be a better start? Things'll probably break less that way.
"Allow that all dataset requests can be made in code" might be a better start? Things'll probably break less that way.
Good to see @ukfci gets a mention, and couldn't agree more that it's "unrealistic to expect individuals to resource the development of #professional structures to meet national #strategic needs".
[Declaration of interest: I'm an associate member.]
[Declaration of interest: I'm an associate member.]
Which leads neatly onto Chapter 7, "#Strategy", and #Conclusions in Chapter 8.
But first, as friends north of the border might put it, a wee break...
But first, as friends north of the border might put it, a wee break...
Dr (sorry, Prof) Ben's #diagnosis rings true...
...and "3 year years of delivery" sets a time frame - though I'm not sure I like the sound of a(nother) "big bang"!
And after all this, the #prescription boils down quite neatly, on the page at least:
1) Use people with technical skills to manage complex technical problems...
And after all this, the #prescription boils down quite neatly, on the page at least:
1) Use people with technical skills to manage complex technical problems...
2) Build #impatiently, but #incrementally
3) Identify a range of 'data #pioneer' groups from each key sector
4) Build #TRE capacity by taking a hands-on approach to the components of work common to all TREs
5) Focus on #platforms
3) Identify a range of 'data #pioneer' groups from each key sector
4) Build #TRE capacity by taking a hands-on approach to the components of work common to all TREs
5) Focus on #platforms
There's a bunch of detail under (4), of course - and 'Pioneers' and 'Vanguards' have been pretty standard practice for years - but none of this seems like too bitter a pill to swallow.
The question is, will @NHSEngland's service Transformation Directorate see it the same way?
The question is, will @NHSEngland's service Transformation Directorate see it the same way?
@NHSEngland In #Conclusion, though there are opportunities for global benefits at "biblical scale", #TANSTAAFL* - accept the technical #complexity, work in the #open, using open #funding, to create an infrastructure of #people, #knowledge and shared #code.
_
*By way of Heinlein and Friedman
_
*By way of Heinlein and Friedman
I don't know "the cost of digitising one hospital" - though I do know Tim Ferris joined @NHSEngland from Massachusetts General Hospital, which in 2016 deployed Epic in a programme costing almost a billion dollars - but £200m for #TREs, spent wisely, could provide a good start...
...and it MUST be spent wisely for, as the Review says, "we must #earn public #trust".
Burnt at least twice now, *millions* of people's trust has already been lost - and they aren't likely to come rushing back if @NHSEngland falls into old habits, and drops the ball. Again.
Burnt at least twice now, *millions* of people's trust has already been lost - and they aren't likely to come rushing back if @NHSEngland falls into old habits, and drops the ball. Again.
Thanks for sticking with me if you got this far!
More in due course, no doubt - check out medconfidential.org/news/ for our next post.
Normal service will resume in a little while - but for now, have a good weekend 😁
More in due course, no doubt - check out medconfidential.org/news/ for our next post.
Normal service will resume in a little while - but for now, have a good weekend 😁
• • •
Missing some Tweet in this thread? You can try to
force a refresh
