Get consent right to unleash Innovation - interview with former head of NHS Digital Andy Williams
Andy Williams has worked at the very sharpest end of technological transformation in the health sector. As CEO of NHS Digital, he was tasked with delivering IT infrastructure across public health and social care services, with responsibility for the secure use of patient data.
He now advises a number of private sector healthcare startups, including appointment booking service Zesty, as a non-executive director.
So, he is perfectly placed to see how a patient centric model could help solve some of the problems faced by the NHS and improve services and outcomes for the people that use it and work in it.
“I think the idea of patient centric health or individuals having access to their own data and being able to do what they will with it is a really good thing but it’s got to be enabled in some way,” he says.
“The reason I’m interested in this is that if individuals have access to their data it enables apps and other services to work off that data with the patient’s consent.
“I think in five to 10 years we’ll get to a state of affairs where the patient having control over their own data is both good for the patient and good for the system as well as offering a more economical way to do things.”
Consent is the key that will unlock the door to patient centricity
Consent is the key that will unlock the door to patient centricity. All the clever technology in the world cannot deliver true patient centricity without having effective means for people to grant – or deny – permission for their data to be used. This isn’t just a matter of doing the right thing ethically or ticking compliance boxes. Without simple, transparent consent mechanisms, innovative data-driven services simply will not be trusted.
Andy cites the case of Google’s collaboration between its DeepMind artificial intelligence project and London’s Royal Free Hospital in London to develop an app to treat kidney disease. The project faced criticism after it emerged that DeepMind was given access to a wide range of patient data beyond the specific scope of kidney disease.
“The parties entered into things with the best intentions,” says Andy, “but it resulted in more data flowing to Google than should have done. That sort of thing creates wariness because personal health data is very sensitive and the NHS can’t be seen as enabling something that allows bad things to happen to such information, such as it getting into the wrong hands.
“That creates a fence within government and within healthcare. It also means that private companies are sometimes seen as being ‘bad’ which is wrong, in my view.”
EU General Data Protection Regulation
Since the DeepMind fiasco, the EU General Data Protection Regulation has become law, giving citizens more rights over what their personal data can be used for. While the GDPR provides the regulatory backstop, Andy believes trust must be built at the level of user interaction.
“GDPR itself isn’t what will inspire confidence, but it’s one of the enablers for data to flow. What will inspire confidence is if individuals can have access to their own data in a way that they know is completely secure, completely private, and gives them control over the use of that data.
“The NHS has got to enable the infrastructure for individuals to be able to access, control, store and use their data.”
Determining exactly who owns data is often subject for debate, but it is particularly difficult considering the nature of health data and the purposes it is used for.
“I’m not even sure that ‘owning’ is the right word but having access to a copy of the data and being able to permission others to access it is, to my mind, patient centricity,” says Andy. “The reason I say the patient doesn’t necessarily own the data is that, in the case of the NHS, information about a person is produced at different interactions – when they have a consultation or undergo surgery, for example.
“Lots of people process and produce data on your behalf. The thing is, you haven’t generally had access to that and that’s what GDPR enables.”
Connecting digital islands
The many people processing and producing patient data also do so across a vast, distributed NHS, meaning information is scattered across multiple physical locations that fall under different jurisdictions. So, to problems of ownership you can add those of interoperability and portability.
“It difficult to share health data to two reasons. One is that systems tend to be incompatible making it difficult to exchange data between these ‘islands’. The second is the subject of information governance which relates not to the technology but the legal rights around the ability to share data.
There are lots of interpretations of this and in large systems people tend to err on side of caution and therefore do not share because they think they will fall foul of information governance rules.
“If the patient consents to the sharing of their data in an informed way, it can be shared. The problem in a large healthcare system is knowing whether a patient has consented because there is no system that does that.
“So even when you solve the problem of interoperability, you’ve got to prove there is a reason for passing the data and then the thing that trumps everything is whether the patient has consented to it. But the difficulty is that if you have a set of data on System A and it’s passed to System B, how on Earth do you show that thousands of patients have given consent for their data to do that?
“That was the problem Google hit at the Royal Free – it wasn’t clear that the patients had consented to that data moving and what the purpose was for moving it.
“If the individual always gives consent in a way that makes clear the purpose of the sharing of their data, that solves the problem. At least, that’s part of it. The other part is digital ID – you’ve got to know that someone consenting to use of their data really is who they say they are. The technology exists to meet these challenges.”