Is INFORMED consent needed? Apparently not if you are West Hampshire CCG
Throughout my blog posts to date, there has been the recurring theme of West Hampshire CCG failing to follow due process (ie policy and law) in my NHS Continuing Healthcare case. Lies, omissions, misinformation, and altering of outcomes all occurred. But a key part to all of this is the basic concept of consent. This is protected by the Data Protection Act (1998 when the reviews took place, now superseded by the 2018 Act which incorporates GDPR).
Our experience indicates that West Hampshire CCG will act without consent for their own financial interest and then simply deny any wrongdoing.
But surely West Hampshire CCG would be careful enough to avoid leaving any evidence?
The law is fairly straight forward. When processing data relating to an individual you must have a valid legal basis. There are a few, but this case is focused around consent as there is no court order or mental capacity issues. I am confident in my understanding due to amazing support from Dave Allison, a Certified Data Protection Officer.
A quick guide to data protection
There are three main grades of data relating to individuals – anonymised (so the person is not identifiable), personal and sensitive. As a general rule, in health settings:
· anonymised data – can be shared freely (although you can often request that your information is not included.
· Personal data (eg name, date of birth, address) – can be shared when there is a need to knowamongst health professionals. This could be done to ensure healthcare is administered correctly, eg arranging appointments.
· Sensitive data (eg medical conditions) – Can only be shared if informed consent is obtained, or a different legal basis is identified (eg lack of mental capacity, risk to life, court order).
West Hampshire CCG believes that, not only can it change the legal basis for processing sensitive data, it does not need consent to process sensitive data (but later back track and claim they did have informed consent). Personally, I believe that they are making up any excuse to cover up unlawful actions because they were determined to reduce or remove life-saving care from my wife.
As part of my reply to the complaint about the response from West Hampshire CCG to my complaint about the January 2018 review, I raised multiple data protection issues.(Please note that at the time, we did not know that the Head of CHC had re-reviewed the clinical data as well.)
1. Consent for November Review was misinformed.
2. They still referred to the November Review report as accurate despite admitting serious errors.
3. Consent for the January Review was misinformed.
4. No consent was requested or given for a review to be carried out by a senior member staff.
The response from West Hampshire CCG, signed by Mike Fulford (as Chief Financial Officer and Deputy Chief Officer) was as follows:
“In regard to your letter of 27 March 2018, I have also sought advice from the information governance department for West Hampshire Clinical Commissioning Group. Having reviewed your concerns regarding the Data Protection Act 1998, we are of the opinion that the reviews undertaken complied with the National Framework and there are no indications of any breach of the Data Protection Act 1998. There is a legal basis to undertake reviews and the Continuing Healthcare process has been undertaken within the common law duty of confidence adhered to in the NHS to protect personal information. Furthermore the reviews have been undertaken with both of your prior knowledge and agreement.”
Let’s review this.
“we are of the opinion that the reviews undertaken complied with the National Framework” – Where does it say in the National Framework that you should conduct a review when you lose the details of the care package, fail to ask the individual if they had a copy (we did, ironically provided within a Subject Access Request) and then lie about the reasoning for the review, especially when your policy is for annual reviews and the last one was done less than seven months previously?
“There is a legal basis to undertake reviews” – Wrong. The law (The NHS Commissioning Boards and CCGs (Responsibilities and Standing Rules) Regulations 2012, paragraph 21 (2)(b)) states an assessment of eligibility (done via a Multi-Disciplinary Team using the Decision Support Tool) must be conducted if someone receiving CHC may no longer eligible. The regulations go on to state (paragraph 12) that CCGs must “have regard to” the National Framework. As such, the framework is guidance; CCGs can deviate from it. The guidance does state that reviews should be done on at least an annual basis, and there is sense in this. But it is not the law. And as for the basis for a review in our case – I have already addressed this point.
“the Continuing Healthcare process has been undertaken within the common law duty of confidence adhered to in the NHS to protect personal information” – Could West Hampshire CCG or NHS England please advise me where the common law duty of confidence enables sensitive data to be processed when the individual concerned has been misled, misinformed, lied to or not even told that further processing was going to occur (and in contravention of local policy).
“Furthermore the reviews have been undertaken with both of your prior knowledge and agreement.” – Seriously, West Hampshire CCG? Why do you provide answers which are just utter nonsense? How many times have we told you that we were misinformed? You must obtain INFORMED consent. Yes, we did know in advance and we did take part, we do not dispute that. But you lied to us, hence we were misinformed. We would not have taken part if we had known the real reason; we would have just given you the documentation that you lost.
BUT IT GETS WORSE
Internal emails show that this paragraph was approved subject to a final check with the Associate Director for CHC. And there was a very specific action.
“I will also run this past the AD for CHC to ensure that we are correct that the reviews do not rely on consent from the family.” (West Hampshire CCG, 10 April 2018)
A very carefully worded statement actually hides a dreadful truth. West Hampshire CCG believed that they had free access to my wife’s sensitive records. This contravenes so many principles in law and the NHS.
Data Protection Act 1998 – Schedule 3 – Consent given by individual for processing of sensitive data. (Whilst paragraph 8 (1) states,“The processing is necessary for medical purposes”, the processing in our case was not necessary.)
NHS England Confidentiality Policy – “Access to person-identifiable or confidential information must be on a need-to-know basis”and “Don’t share information without the consent of the person to which the information relates, unless there are statutory grounds to do so.”
NHS Handbook to the Constitution – “NHS staff have both a professional and legal duty to keep information you provide to them confidential and to respect your privacy. This does not mean that your information will not be shared but it does mean that it will only be shared with your agreement (consent) or if there is another legal basis.”
WHCCG Information Governance Staff Handbook– “The common law duty of confidentiality requires that information that has been provided in confidence may be disclosed only for the purposes that the subject has been informed about and has consented to, unless there is a statutory or court order requirement to do otherwise.”
NHS Continuing Healthcare National Framework 2012– “As with any examination or treatment, the individual’s informed consent should be obtained before the start of the process to determine eligibility for NHS Continuing Healthcare”, and “Where the person has mental capacity their informed consent is required before completion of the Checklist and for every stage of the process.”
WHCCG – Joint Operational Policy (v4) – “The individual’s informed consent will be obtained before starting the process to determine eligibility for NHS CHC.”
Information Commissioners Office website – “You must determine your lawful basis before starting to process personal data. It’s important to get this right first time. If you find at a later date that your chosen basis was actually inappropriate, it will be difficult to simply swap to a different one. Even if a different basis could have applied from the start, retrospectively switching lawful basis is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements.”
ICO GDPR Myths – Lawful basis myths (April 2018) – “It’s true you can have more than one lawful basis for your processing. But if you choose to ask for consent, you must respect the individual’s choice. You cannot do it anyway on a different basis if they don’t consent.”
How did WHCCG respond to future challenge on this?
They changed their mind again. They decided to go back to claim they had consent in the first place. A letter on 6 June 2019, signed by Mike Fulford on behalf of West Hampshire CCG stated:
“On 13 April 2017 Mrs Austen-Jones signed a consent form that specifically includes consent for reviews to take place. In addition both you and Mrs Austen Jones [sic] were at the review meetings and did not raise objections at the time. The reviews carried out in November 2017 and January 2018 were a requirement of the National Framework for NHS Continuing Healthcare. The information was limited to that purpose and the reviews dealt with information that was relevant, as such both the processing of the information and the reviews process itself were lawful.”
Point 1 – Our argument has always been that we were misinformed. The April 2017 consent form was from a review that took place in the April. We were disputing the November 2017 review, January 2018 review and subsequent processing.
Point 2 – We have asked for evidence that participation at a meeting demonstrates informed consent. The reply – “There is no evidence specifically that considers this point.”Now there is a surprise.
Point 3 – We did raise objections before and at the November 2017 review. But we were then lied to. I have raised this point so many times and West Hampshire CCG just refuses to engage in the point, for obvious reasons.
Point 4 – At the January 2018 review, we were still under the misguidance that the review was required. At the end of the meeting, the reviewer introduced a fake guideline to force an MDT. As such, again we were misinformed.
Point 5 – The reviews, in this instance, were not a requirement of the National Framework for NHS Continuing Healthcare and I have demonstrated this in previous posts.
The actions of West Hampshire CCG raise very serious questions about accountability and honesty within the organisation, all the way to the very top of it. Rather than admit wrongdoing, they will say anything in an attempt to get out of it. If they are willing to process by wife’s sensitive data unlawfully, how many other people are they doing it to? And I have much more to share about West Hampshire CCG and data protection breaches?
And to round this off, I did report West Hampshire CCG to the Information Commissioners Office for acting without consent. Their reply? “The CCG has responded to your concerns about consent." This indicates that the ICO only cares whether a response has been given, not whether an organisation is acting lawfully and that any response holds up to scrutiny.
No accountability. No justice.