This site is intended for health professionals only

At the heart of general practice since 1960

Locking horns over the care record: arch sceptic versus true believer

As Pulse's Common Sense on IT campaign gathers pace, veteran IT campaigner Dr Paul Thornton goes head to head with Connecting for Health’s Dr Gillian Braunold in a special email debate, here published in full, unexpurgated form

As Pulse's Common Sense on IT campaign gathers pace, veteran IT campaigner Dr Paul Thornton goes head to head with Connecting for Health's Dr Gillian Braunold in a special email debate, here published in full, unexpurgated form

Hi Gillian,

I gather you are expecting this email from me with a view to the publication of an email exchange between us in Pulse. Perhaps a dialogue can generate light where currently there is heat?

Firstly, I think it might expedite matters to set out where I think there is agreement between us. We both recognise the need:

- for sharing relevant and necessary information between professionals involved in care in as timely a manner as possible.

- to identify patients at risk, automatically prompt and monitor aspects of care and to incorporate checks and safeguards into routine care.

- for privacy, confidentiality and data security.

The use of paper records creates shortfalls in all these areas that can be substantially improved by the use of information technologies. We are both enthusiastic long term users of clinical IT systems. There is no Luddism or technophobia in GP criticisms of Connecting for Health.

I know you give high value to patient confidentiality and you have argued forcefully for smart card access controls, role based access, and various concepts of metaphorical sealed envelopes.

If they can be made to work (and this seems to be a big if) these might be usefully incorporated into established GP systems. But they are yet to be proven, will be over ridden and will be ignored in respect of transferring identifiable patient information to and from the Secondary Uses Service.

It is essential that we maintain the use of distinct & separate databases in the various providers so that the patient retains genuine full control over the dissemination of data.

Why can't we have a system by which information is pushed to explicit destinations as required, while the opportunity remains for selective data to be pulled, with greater safeguards, when there is genuine need?



Dear Paul,

I agree entirely with you, Paul, around the benefits of electronic records to support effective, efficient and safer health care.

As always the issue is finding the balance on the weighing scales between the barriers necessary for essential information governance and the necessary freedoms to share information appropriately for patient care.

I'll start my response to you with your last point since it is your conclusion that I have a problem with. You argue that we should ‘maintain the use of distinct & separate databases in the various providers so that the patient retains genuine full control over the dissemination of data'.

First, our current systems do not offer patients full control over the dissemination of data. Few patients know what is in their records and few colleagues currently consent patients over necessary transfers of information, either paper or electronic.

Second, the location of the database is not the key to control, but it is to data security. If a practice chooses to have the patients' records hosted outside the physical building of the surgery, the practice has no less control over the dissemination of that data than they have within its four walls.

However, we should ensure as the guardians of our patients health records that they are protected to industry standards.

As the floods last month illustrated, a file server in a cupboard of a surgery is not sufficient security. Those practices in the North East using shared servers in data centres had the benefit of remote access to their records without loss of service even through they could not access their buildings.


Hi Gillian,

I am sorry you have a problem with the notion of maintaining separate databases for each provider, even though these could be on remote servers.

You are correct that central servers could be established such that a practice (and its patients) ‘has no less control'. But this does not correspond to the remote server proposals put forward by Connecting for Health.

The reason that Connecting for Health is trying to insist on its central servers is to facilitate transfers of all the identifiable patient data on to the massive, nationwide secondary users database, with no opportunity at all for either the patient, or the involved clinicians, to prevent that dissemination.

Unfortunately, early secondary care IT work, piloted on the Wirral, was taken forward as the model for Connecting for Health. A single health record for each patient across all providers.

Therein lies the flaw. That flaw was compounded by a Blair moment which decreed that this single record should be accessible anywhere, and then further compounded by the data harvesting plans.

The balance you describe between ‘the barriers necessary for essential information governance and the necessary freedoms to share information appropriately for patient care' was irrevocably tipped such that even Connecting for Health's own risk analysis confirmed that the proposals will be detrimental to care.

That is why we need to look again at separate clinical databases that can communicate so that information is "pushed" to precise targets where it is likely to be needed, but ‘pulled' in a genuine emergency, to the small number of people who really need to know. This reduces the exposure risk and is all against a background of genuine and complete patient consent and/or veto.

Such a system already seems to be up and running. Take a look at the video and other material in English on the website of the Dutch supervisory body, the Nationaal ICT Instituut in de Zorg that describes the system in Holland.

The irony is that the IT contractor for the Dutch system is CSC, one of the major contractors for Connecting for Health.



Let's separate some of the issues you raise since it is very easy to cloud one with another.

The first is whether access to clinical information is push or pull. The importance lies in the outcome – accurate clinical information available when it can make the difference to patient safety and care.

We both agree that this needs to be a pull in a genuine emergency; Choose and Book is an example of the push in action in CfH. We may only differ on when it's pull and push in between.

Let's no forget why information sharing is important for patients. The experience that I hear most often by frequent users of the NHS is their frustration at having blood tests repeated because they are being seen in a different clinic, having to repeat their histories when they feel really unwell, and frustration at the poor communication between those looking after them.

Most patients don't wish to be treated in parts but as a whole and expect their clinicians to have access to relevant information to care for them with optimum safety.

In my view the essence of the debate lies in two issues: the controls over access and the security of the clinical records.

The access controls are and will be robust, as much for access for clinical care as for access to unidentifiable data in the Secondary Uses Service (SUS).

The access controls being designed and implemented in Connecting for Health are the most modern and effective available. A patient can opt to supplement these access controls by choosing not to have their clinical record shared.

The SUS is built in order to ensure the health service manages itself properly. Just as you use your patient clinical data to manage your surgery, the NHS needs access to manage itself.

The service cannot quality assure and improve its care without information. The controls around the use of unidentifiable (pseudonymised) data in SUS are governed by the Care Record Guarantee.

In terms of the security of the clinical records, I have a choice of whether my patients' data is physically stored in my surgery at Kilburn Park, in a PCT managed server environment, in the Bread Factory managed by INPS, or in BT's managed store.

I can take advantage of different security arrangements. However I do have a duty to ensure that these records, which I hold on behalf of the patients, are not put at risk and now more than one practice in ten has accepted that remotely hosting offers the best security of those records.

When I explain to patients and colleagues the controls that are in place for record sharing and security most are reassured by the measures being built.

As you and I know the weakest links in the security of the data is not the technical side but the humans managing it and their vulnerability. That is why I believe that all of us need to wake up to our responsibilities regarding the governance of information and the importance of our guardianship of patient records.



The debate is not just about the controls over access and the security of the clinical records. It is more than simple data protection.

It is about confidentiality and the right to privacy. It is about the right of an individual to decide if information is recorded at all, and, if so, under whose control. It is about who is granted access, even if the control mechanisms are satisfactory.

It is about which of those people with direct access will pass on information to third, fourth and fifth parties. It is about who will filter information that is not relevant or necessary before it is passed on. It is about delivering information rapidly and when needed in a targeted manner rather than making lots of information needlessly accessible on a huge scale.

The national care records guarantee euphemistically tells patients that 'this new system will allow only those involved in your care to have access to records about you from which you can be identified, unless you give your permission or the law allows'.

The list deriving from those last four words is enormous and includes the police, investigative social services departments, the department for work and pensions, the audit commission, the DVLA, unspecified medical researchers, etc

Function creep for example that the database is searched for forensic detection purposes is inevitable given existing police powers. ‘Please identify all the white men with blood group A+ and a drink problem who live in this post code area……'

Why did you claim that information on the Secondary Uses Service is ‘unidentifiable'? It is so important that that I need to repeat myself.

Information will be stored on the secondary users database in a wholly identifiable format. Information about everyone, recorded by every sort of health professional is going to be copied from all the various components of the Connecting for Health systems.

Data will still be transferred even if the patient has chosen to ‘supplement these access controls by choosing not to have their clinical record shared.'

The identifiable data will be searchable. Records can and will be released in identifiable form. Patients are not being informed about this and will not be even asked for consent.

It is self evident that we aspire to ‘accurate clinical information available when it can make the difference to patient safety and care.'

But as recent BMA and LMC resolutions demonstrate, the profession is increasingly coming to understand that we are not going to get such information direct from the patient in the consultation if we persevere with Connecting for Health's proposals.

In the forthcoming weeks, how do you intend to represent the profession's concerns to the new people responsible for NHS IT?

Would it not be better to radically amend the national strategy than have it scrapped completely? It could even be made lawful.


Dear Paul,

Thank you for your third email.

The Care Records Guarantee and ministerial statements give people the right not to have their record held electronically or to restrict its sharing.

A paper referral letter is estimated to visible to over 30 people, almost all with no need to see it; Connecting for Health is creating a records system that significantly improves confidentiality and restricts access.

You raise the spectre of many accesses to medical records ‘as the law allows'.

These are of course legal imperatives already in place and decided by Parliament;. Connecting for Health has to comply with these, just as you do now.

In the Secondary Uses Service, my understanding is that clinical data is identifiable on transfer and, after linkage, is pseudonymised – made unidentifiable.

It is then used to manage the health service. As you know, access to identifiable patient data without consent is possible within the health service through the PIAG process.

But, again, that is not a Connecting for Health issue but one for parliament; Connecting for Health has to operate within the law.

You ask what I am doing as a National Clinical Lead. I am listening to the wide range of views of those who work in the health service and those who use it, and advocating for the best solutions for best care.

I think its important to reflect on what would happen if Connecting for Health or NPfIT was disbanded or the Care Record Service element. Then information would be shared without proper governance controls in place and the technologies that exist would be exploited by differing individuals and trusts with no central governance structure.

The Information Governance that CFH imposes of the solutions for the Care Record Service raises standards for all. It does however shine a bright light on the practices taking place currently and puts pressure on colleagues to raise their game.

I will now ask you how you feel about GP2GP which I think all of us welcome as GPs who are managing patients with entire records on computer without having specifically asked patients permission for sharing that information.

We are comfortable with enabling the entire record to be available ( not the summary) to the receiving practice at the click of a button having identified the incoming registration on PDS.

I am continually being asked just how easy is it for us to access the summaries of patients not registered with our practice and yet the profession has requested immediate access to the entire GP record immediately to enable rapid benefit. These two sets of views are somewhat inconsistent.

Best wishes,



It has been a pleasure to debate the issues with you in this format and I hope it has been constructive.

For my concluding contribution I have to welcome your reaffirmation of the ministerial assurances, first made two and half years ago, that patients have the right not to have their information held electronically - without being obliged to withdraw from NHS care. It is this basic safeguard that ensures that any consent – opt in or opt out – is genuine.

It guarantees that Connecting for Health will have to provide systems that are trusted by both patients and by their advisors.

Unfortunately, this safeguard is explicitly not included in the National Care Records Guarantee. Nor are patients being informed in the material sent by Connecting for Health in the early adopter PCT's.

On the contrary, the claim that that Lord Warner's opt out applies only to the summary care record contradicts his predecessors' earlier assurances.

Over the two and half years, we have had no clarification of how a genuine opt out can be arranged and no suggestion as to how patient care can be carried forward in a system where all laboratory and X ray information is being transferred onto the national data base systems.

Your description of the Secondary Uses Service does not match that of published Connecting for Health documents. Data will be stored in an identifiable format.

My understanding is that only extracted data will be anonymised prior to release to those people who are not allowed access to identifiable data. I am sure you will wish to explore this further.

In addition, you should confirm that the law explicitly excludes the use of Patient Information Advisory Group powers where it is practicable to seek the consent of patients.

It is practicable to seek consent in General Practice and most other clinical settings. We do it regularly.

Similarly, the many anticipated releases of information ‘as the law allows' are not ‘legal imperatives already in place and decided by Parliament'. Often there is a common law balancing act of conflicting public interests debated on a case by case basis.

They will be better defended by clinicians - data controllers who see the public interest that accrues from individual patient privacy in their work and to whose care the information was initially entrusted.

GP2GP provides a first semblance of realism in the Connecting for Health debacle. I give you credit for this and I hope it is successfully implemented.

Under the original Connecting for Health proposals it would not have been deemed necessary and it was not planned. The new GP would simply have logged onto the same database as the previous GP had used.

GP2GP is a classic example of targeted pushed information rather than leaving it on a database where it can be pulled by thousands. It is the model that must be developed.

That said, I hope you can provide an assurance that the transferred data is deleted from Connecting for Health's intermediate messaging computers and that none of the information is intercepted in transit. The Choose and Book messaging system is not secure in this regard because of SUS.

GP2GP replicates the existing transfer of the accruing lifelong paper record, a system that is unique to the UK.

While I am clear that GP's have done a better job of protecting the privacy of information than will be afforded by the Department of Health, you are right to observe our paternalism in presuming that all patients want or need all their information automatically passed on, even between GP's who have been chosen by the patient.

I am sure that EU derived law will further improve our own custom and practice. But before then, I remain confident that these laws will be invoked to oblige further improvement of Connecting for Health's proposals.

Let's hope that before very much longer the hospital departments have distinct systems successfully designed to be used by their own clinicians.

And that we will be able to push the essential, necessary, and relevant information between the various professionals who are involved in the care of each individual.

I wish you well in your continued efforts to develop secure IT systems that your colleagues might wholeheartedly recommend to their patients and colleagues.

I would like to think that I have documented some essential requirements.

Best wishes,


Dear Paul,

This exchange of emails has been very helpful in demonstrating the extent of the common ground we share, despite some appearances to the contrary.

In particular we both agree that patients can benefit greatly from improved sharing of clinical information, but that there is a balancing need to ensure such clinical information is secure and confidential; and that patients themselves need to be empowered to decide what is right for them.

I see the HealthSpace environment playing a key role in this empowerment.

It should help to inform people concerning their choices and the ways in which their clinical information is used. In time it will reduce the use of the relatively insecure Royal Mail for sharing, for example, referral letters with patients.

You raise a number of questions about the Secondary Uses Service that I and my colleagues will pursue.

I don't understand your concern about Choose and Book since the referral letter is not stored centrally and is not available to the Secondary Uses Service. The fact of referral is recorded, but not the clinical letter.

My perception is that we have tolerated the status quo, with all its risks and imperfections in the way clinical data is handled, because there was no viable alternative.

We are now creating an alternative and it is a major improvement in terms of the protection and empowerment of patients. In such a transformation, not everybody will be fully satisfied, and there is clearly a need for high levels of scrutiny and vigilance. That is a role in which you excel.

For the present I believe that the combination of the Care Records Guarantee, Ministerial assurances and current law offers a good framework.

If the balance of patient benefits and rights proves not to be correct, we'll have to push – together! – for improvement.

Best wishes,


Dr Paul Thornton is a GP in Kingsbury, Warwickshire; Dr Gillian Braunold is GP clinical lead for Connecting for Health

Dr Gillian Braunold: Care record implementation is a balance of benefits and rights Dr Gillian Braunold: Care record implementation is a balance of benefits and rights Dr Paul Thornton: has concerns over confidentiality Dr Paul Thornton: has concerns over confidentiality

Rate this article 

Click to rate

  • 1 star out of 5
  • 2 stars out of 5
  • 3 stars out of 5
  • 4 stars out of 5
  • 5 stars out of 5

0 out of 5 stars

Have your say