Drowning in the data loch
Robin McAlpine
You might have read an article a week or two ago. It was basically a puff piece, a placed positive promotional story. It was about how large amounts of NHS data are helping improve medicines and cancer treatment, increasingly using AI. And this is a good story, but would it surprise you that a bad story is attached to it?
Because let's be clear; you aren't going to assemble a big pile of patient data without attracting those who can profit from it. It's like the smell of a carcass for a gang of vultures (the collective nouns are 'committee' if they're on a branch and 'kettle' if they're in the air, but since I didn't know that I wasn't sure you would...)
If that means Pfizer or Astra Zeneca rapidly creating a cure for Covid then I think that is great. If it means the Sacklers working out how to market Oxycontin to the maximum number of patients/future addicts, then I don't think that's a great thing. So why can't I choose?
Let's rewind a second. The idea of using 'patient data' for the public good isn't new, though it's newer than you might imagine. It wasn't until 1854 that John Snow started mapping who was getting cholera during an outbreak and tracking where they'd been and what they'd done. This is how he discovered that everyone who was being affected was drinking from the same well and that was all they had in common – that represents the invention of epidemiology.
The importance of this is phenomenal – in fact within 45 years French sociologist Emile Durkheim had applied the same technique to social data by recording patterns of suicide to see if he could identify a social cause behind them (which he did).
For us, the idea that you make policy by assessing real-world data in large volumes is so routine we don't think about it. It has genuinely transformed society. Want to know what it looks like when mass data goes wrong? Well, it looks like the 2007 financial crisis or the Cambridge Analytica scandal.
This is why it is so, so important that we make good use of public data but are properly cautious about its misuse. So where is all this data exactly and how sure can you be that it isn't being misused? If I were to tell you that the answer to this is rather opaque, would you be surprised?
All your data is in the Data Loch. No really, the Data Loch is a real thing. It was created with the City Region Deal money and cost £63 million (Edinburgh University absorbed a stunning £751 million, a big majority of Edinburgh's funding during a period where poverty and housing were the capital's big problems).
It is basically a super-powerful computer with a sophisticated database at its heart – yes, that costs money, but clearly that's not where the value is. The value is in the data. And dear goodness there are lots of people that want their hands on that data.
In fact in its report Unlocking the value of data the Scottish Government's expert panel made clear why many people want Scotland's data and how to 'get the most out of it'. That includes straight commercialisation.
But unlimited commercialisation of patient data is most certainly not a good thing. So all concerned have tried to reassure people that this isn't happening. It isn't all that convincing. For a start, the business plan for the Data Loch is publicly available and a large part of the case was made on the basis of the income that could be generated from selling data. Has that business plan been scrapped?
Or would it perhaps explain why the set-up of the Data Loch made clear that a full review of the impact on Data Protection had to be completed, and yet when the whole thing was set up and had started operating, that wasn't done?
Am I being unreasonably paranoid here? I don't think so. The Data Loch partners with UK-wide initiatives which do sell data to the private sector. And there is clear form on this; another UK initiative which is very similar promised not to share data for any purpose other then medical research and then went on to sell it to insurance companies anyway.
Plus the Scottish Government's record on 'inward investment' is so significantly reliant on the sell-off of Scottish assets that I really do doubt your data is actually only ever going to be used for purely public-good purposes. Even if it is just now, in five years? Edinburgh University is barely a public institution anymore anyway – the whole operation is geared up to behave like a corporation which sells education and research services.
But – and this is really crucial – you're getting no say in any of this. Your data is pouring into the Data Loch all the time and you can't stop it. Well, you can, but first you need to know you can and then you need to get hold of a form that you need to complete and send it back to your GP. Of course, in the event that your data was being used against your express permission you would never know anyway.
Why? Because your data is not your data, not in Scotland. In Scotland it is their data. It's the usual Scottish patrician idea that big things that need to happen must happen with your consent or not, so if you are even asked about it it will just complicate everything so best just not to bother you with complicated questions. Others will act on your behalf.
The alternative to this is simple; work on the assumption that your data is yours and you have a right of control over it. Not only that, you have a right to see it and use it. To achieve that all you need is a personal data store ('all' being a loose term when the issue of public sector IT procurement is concerned).
This is also a secure, powerful computer (or series of them) running a sophisticated database into which is added all your public data – with the difference being that you have an 'account' and you can see and control your data. This can be a defensive measure – for example, you could select an option saying 'I want to approve every use of my medical data individually”.
Most of us wouldn't want that, but we might select an option which says 'to be used only for non-profit research and direct medical research with clear public benefit', or 'I literally don't care – fire in'.
But it offers much more than that. It enables you to get your data and use it for other purposes. For example, if you need to get a full background check for a job, you might give that employer one-off access to the relevant data. It also offers the opportunity to greatly streamline government and public services.
I can't find a reference for this now but someone told me that about a third of the working time of public sector workers who answer phones to the public relates to progress-checking. As in 'is that application going to be approved soon?'. If you could make data-based applications online they could interrogate your data store, automate it and tell you how it was getting on.
I was given an example of this, again one I'm repeating from memory (so allow for error). It was something like 'the process for getting a shotgun license involves 14 checks and of those all but two are simply confirming public data'. At the moment someone will manually check all that data, but a proper system of citizen-centred data would do that automatically and only the two genuinely manual checks would take up staff time.
Plus you'd be able to see this in real time – apply and watch as boxes are ticked before your eyes to tell you what has been done so far and what not. I'm on two NHS waiting lists and since neither are in any way urgent I've left it at that, but I've been on one of them for 24 months now and not heard a peep so, well, am I on the list? I could just open my data account and check, but right now I need to phone a fairly senior member of the NHS workforce (because that was what I was told to do) and he definitely has better things to do than progress check for me.
Is the Data Loch up to nefarious things? I don't know. Could it be? Yes. Is my definition of 'nefarious' likely to be the same as that arrived at by the mostly Edinburgh University staff and managers who run the Data Loch? I doubt it. Does government ever throw up commercial opportunities which aren't, sooner or later, used to increase the profits of a corporation? Nope.
When will Scotland treat its adults like adults? Why can't we see all our data? Why can't we control all our data? When will we drag ourselves into the 21st century with a comprehensive system of public data that automates what should be automated in this day and age? There is no sign even of the discussion taking place just now.
Your data will become a more and more important issue the more our IT-run world develops. A time will come when we'll storm the barricades of the management class who have our data locked in a safe to which only they have the key. From the Post Office scandal to the mind-numbing experience of Scottish paperwork, it can't come soon enough.