MR RICHARD GRANGER, MR HARRY CAYTON AND DR GILLIAN BRAUNOLD

26 APRIL 2007

  Q20  Dr Taylor: Is the main reason for getting the Summary Care Record out first really because it is much easier and practical?

  Mr Granger: I think developing a couple of thousand work year software products to a schedule we stood up 18 months ago, that we hit the dates on, has not been easy. I think it delivers significant value out of our investment in a security framework, a central demographic database, a network, and now 102 different end-user systems that are compatible with that central infrastructure. It was always part of the plan. The sequencing of this programme that was stood up in 2002 and what we have now is different. We did not have picture archiving in 2002 at all and we will complete its roll-out during the current financial year.

  Q21  Dr Taylor: Do you think you really can answer a GP who has written to us saying the Detailed Care Record can never provide the level of detailed data sharing which would be necessary for shared care?

  Dr Braunold: I find that one difficult, because shared care we do at the moment as best we can; so I do not really know what standard that GP is talking about. Improved information will improve our care. I know how often I would like to have information, or it delays optimum treatment of a patient because I am waiting for a letter to come or information to come and I have to bring the patient back. Availability of information at the touch of a button will help improve care for all of those GPs as well as my hospital colleagues, so I find that one difficult.

  Q22  Dr Taylor: I suspect he is worried about loss of the paper system which, if you have got time to use it, does give you everything you need.

  Dr Braunold: I was talking to what I would call a "Luddite GP" the other day who said he mourns the loss of discharge letters—because they are getting electronic discharge letters, that I would give my eye or teeth for, in his area of Gloucestershire—because he is used to highlighting on it and getting people to code it; and now because he is getting it electronically quicker than waiting three weeks for a letter, he is getting it in two or three minutes, he has actually lost the business process. That is the challenge for us about learning to work differently when we have got better conditions.

  Q23  Dr Taylor: Another concern raised to us is from groups who represent patients with long-term complicated conditions, because they are longing for the Detailed Care Record to be out quickly. What can we say to them?

  Dr Braunold: That is exactly what we are doing in one of my areas about the Summary Care Records. Because it is going to take a while, one of the real, real benefits that I have not discussed about the Summary Care Record is the patient's record that they see from Heathspace; and that is something that can be put in (all of the information that will help with those pathways) straight away to support those patients and help them wherever they go, because we can put that information in. The patient will have access through the internet, through their own access controls, and they can share it where they wish under their own control.

  Q24  Dr Taylor: Why should we not be slowly developing the Summary Care Record to become a Detailed Care Record?

  Dr Braunold: Because we need to have quality information that is far more than a general practitioner-originated record. We need to start having coded information from wider places than GPs. GPs only look after patients 36 hours a week. We need to join people up. Frankly, I know the frustration of my colleagues in nursing who cannot access my records.

  Q25  Dr Taylor: You are implying there is going to be no hospital information on the Summary Care Record?

  Dr Braunold: There will be, but that is joining in 2008 onwards. That will start to be messages around discharge, and messages around the outpatient letters; but it will not be the richness of what you were describing—a conversation with a patient you put in your internal system which you would not necessarily tell me about. I do not want to know every sodium and potassium in the intensive care unit; it is totally inappropriate to be available to me routinely.

  Q26  Dr Taylor: It has got to be recorded somewhere?

  Dr Braunold: It must be in the hospital system.

  Mr Cayton: Richard, you are putting your finger precisely on the point that the Chairman raised earlier, that there are conflicting interests and conflicting views about the best way forward. What we are increasingly trying to create is a system that has some local flexibilities, that has a lot of choices for patients themselves to make about what is shared and what is not shared. As we described earlier, as the Summary Care Record is established, if people want to use it, and if patients agree with their GPs to upload more data to it, then it will become richer and more useful. You are quite right, my experience working with many of the organisations representing people with long-term conditions, they feel very strongly that they want to have a fairly rich shared record and they want it as soon as it can be reasonably provided; but we have many interests to balance in trying to achieve this.

  Q27  Dr Taylor: Are the psychiatrists on board?

  Mr Granger: I think with 30 mental health patient administration systems the people who have received those probably are. There are specific issues with particular patient groups around concerns about the propagation of information, sexual health and other groups. Gillian might talk about some consultation work we have done there. I want to reassure you on one thing around Detailed Records. We have delivered 13 community hospital patient administration systems; 171 community care PASs; 30 mental health PASs. These are systems that have introduced IT for the first time to quite a lot of frontline NHS workers that are shared Detailed Care Records working across communities. You can go to large parts of the country now, including in this city, and see people who were previously using paper notes, having to go back to offices and having to send letters to colleagues within multidisciplinary teams. My wife has worked in a community setting in the NHS and 30lbs of paper was a typical load she was carrying around as a speech and language therapist; and the only way she could propagate information across the community was by posting stuff; she did not have any other systems. A lot of people are getting systems now that do support that detailed care; but we come back to the problem of getting the warring software suppliers to get their software to work across multiple settings. We have achieved quite a lot of information flow thus far. We are running about 200 million interactions now across the spine, and I think you are going to hear from Patrick O'Connell of BT later who runs that service and you can talk in more detail about that. This is a difficult nut to crack because some people would like all information to be available everywhere; and then at the other end of the spectrum there are the privacy fascists who would like to dictate that nobody has any information available anywhere. We have been trying to forge a path between those extremities.

  Q28  Charlotte Atkins: Why was it considered necessary to move patient data to national and regional databases when developing the new records systems? Won't central databases be more vulnerable to security breaches?

  Mr Granger: I think there are different vulnerabilities. All information is vulnerable. We had to deal a couple of weeks ago with an incident of some PCT records, paper records, being left in filing cabinets that were trundled off to a scrap yard—a not uncommon occurrence, sadly, with paper records, that they go astray. Computers with records on them that are accessible get stolen from NHS premises; and people maliciously try to break into large central databases. No computers are totally secure; and paper records are not secure either. Where you have a situation where information is being freely available on paper within a hospital setting, it has the vulnerability of being browsed very easily by the very people living in the community that the patients come from. The same can be true in a GP practice. Where you have a central or regional database, you have the vulnerability of systemic examination of information either by people from within that community or strangers. We are very alive to that. There are significant sociological challenges in the busy world of health care around the balance between the ready accessibility of information to enable people to do a job quickly and adequate security. We decided in 2003 to adopt the gold standard, as it existed at the time, of Cabinet Office information security, a standard called e-GIF (e-Government Interoperability Framework) Level 3, which means we have issued 350,000 smart cards to frontline NHS staff and put them through a screening process which is not dissimilar to that which is necessary to obtain a passport, and they have had to be vouched for by senior colleagues in order to gain access to information. That has been a laborious process that has been effected through 4,000 registration points. We are the only piece of civil infrastructure in this country that has done that. We have had a couple of instances now, and one was through the ignorance of a temporary member of staff whose contract was terminated as a consequence of it, and the other was a deliberate decision in a busy A&E department. We have had a couple of instances of local variation and breach of the standards we have stood up: one smart card per person; that card must only be used by that person and so on. The technologies to enable us to move to something slicker than the use of smart cards are immature. We looked at using facial pattern recognition, retinal recognition and so on. Fingerprinting is not great. Although it exists as a mature technology it is not great in an environment where people wear rubber gloves. There are quite a lot of form factors around assuring rapid access to information and it being secure in a clinical setting. There are risks to central databases; there are risks to local databases; there are risks to paper. One of my great sadnesses about the last four and a half years is that we did not have the opportunity to spend two or three years doing benchmarking and cogitation because the benefits of getting systems in have outweighed that; but if we had we could have collected vast quantities of information about confidentiality breaches caused by paper; because that has been the status quo, and the risks to patients of paper going missing as well. The same is true of other physical media, like X-ray films. Yes, there could be a risk of having a repository with over 200 million X-ray images on it, and other digital images, but there is certainly a risk if you go to the average district hospital and they have to re-shoot 20,000-30,000 studies a year because the X-rays went missing.

  Q29  Charlotte Atkins: Given what has just happened with prospective junior doctors, what confidence do you think the public and patients will have in a computer-based system of this nature? Clearly, there were problems with paperwork; I know there were problems with smart cards left lying about and this sort of thing; but, given that very personal, confidential details of prospective junior doctors have gone public, how do you feel that this is gong to affect the public's confidence in being able to develop a system which is secure?

  Mr Granger: With regard to today's news, I am both pleased and sorry that I do not run that system. I am pleased I do not run it right now because it has gone wrong; and I am sorry I did not run it because it may not have gone wrong if I had. The only responsibility I will take in that space is that I unfortunately put the network connections in on time. Of course had I failed to do that nobody would have been able to access it, and it would have been my fault. We have had a great deal of assurance and scrutiny about what we are doing in terms of systems security. No system is ever going to be totally secure, but a remarkable number of the general public do entrust information through electronic channels with far lower levels of security than we offer, whether it is to their bank, when they go shopping, or they accept it as a matter of course if they travel by airplane, for example. I think that what we are talking about is a level of concern which is legitimate, and the balance of the benefits of the new system. I think the benefits far outweigh the disbenefits. We have a number of people whipping up anxiety about the disbenefits. They are rather similar to people who have a fear of flying: are we going to ground all airplanes globally because some people are scared of flying?

  Q30  Charlotte Atkins: You have just given assurances to people that because you are personally in control of this nothing is going to go wrong.

  Mr Granger: No, I did not say that. I actually said all computer systems are vulnerable, and no computer system can be completely secure.

  Q31  Charlotte Atkins: You implied that if you had been running the system that was dealing with prospective junior doctors that there would not be a problem. You have the opportunity now to be able to give assurances that you will put in place systems which make sure that will not happen, except in the most extreme circumstances. What would you say to a nervous patient who is going to give permission for their personal details, very sensitive to themselves, going on this system? Given what was happened with the junior doctors, why should they be confident that the system will work for them?

  Mr Granger: I would say three things on that. Firstly, I think we have a high quality team deployed and worried about this issue. It is not something we take casually; it is something we take very seriously. I cannot give you a cast iron guarantee that things will never go wrong because that would be misleading you. We take the matter very seriously. Our suppliers have a track record of working in this space. They all do work for security services, for example; and indeed one of them has a team that largely emanates from a security service running their NHS work now. Secondly, we are introducing this functionality incrementally; so it is not a big bang and we are taking things step-by-step, which is a good way of mitigating risk and examining what is going on before proceeding to the next stage. Thirdly, I would say one of the most worrying aspects of the NHS at, say, 2002, and surveys were done in 2002-2003, is that most people that we serve incorrectly believe that the information from earlier in their care is available at the next stage. We have not until recently started to fulfil that understanding that the public have about how the NHS already operates.

  Dr Braunold: Can I come in with a couple of points from my perception? If we were to say, "Okay, let us scrap it. It is too hard, it is too difficult, we should not do this, the risks are too great", my own perception is that the technologies exist for information sharing and what people would do (because I see it already) is start sharing information inappropriately. They would use ordinary email systems, they would send people information that is confidential through insecure ways, and, for me, what the National Programme for IT is really about is spending enormous resources but important resources on getting the information governance right so that we share information appropriately. For me as a clinician, the challenge in the last decade was clinical governance, and when it first came in as a phrase I think many clinicians did not understand what clinical governance was: it was a buzz word; they did not know what it meant. Ten years later, people really understand what clinical governance is, what it means to them as a clinician, and they want to raise the standards of clinical care that they deliver to patients. The challenge for the next decade is information governance. I think if I said that to the average clinician in my PCT, they would not really understand their responsibilities around information governance. That is where we are at now. In ten years' time, I believe that people will really understand what their responsibilities are about protecting patients' data, sharing appropriately information and what their responsibilities are about its accuracy and security. I think that that is why we are doing things very slowly, and incrementally. When we looked at the Summary Care Record we could have said to all 152 PCTs, "Just do it", but from where I am sitting we have to do things very slowly and incrementally and evaluate what we are doing. We have got an independent evaluation that is being commissioned (it was announced yesterday) with the University College of London that will be evaluating all of these access controls that we are describing that are not present in what happened with the junior doctors thing that was declared this morning. These access controls have to be tested to make sure they work as they have been commissioned and tested on a small group of patients before it is rolled out wider. I hope that gives some reassurance.

  Q32  Charlotte Atkins: The British Computer Society suggested that you should have a distributed database with information stored locally but accessible in a secure way to clinicians through a web-based search engine. Would that not be a more secure way of doing it and eliminate some of the concerns which patients might have?

  Mr Granger: Perhaps we could let you have a note on the number of computers that have been stolen from within the NHS, as best we can calculate it. It is interesting. I do not know whether there are hardware manufactures advising them as well. The costs of doing that are quite significant. You have a complex technical solution. I find it perplexing when we have had 20 years of systems that have been essentially based around a central mainframe or, now, a set of boxes concatenated together with relatively little information getting stored in the end-user domain and it passing securely over networks. We did not want to, frankly, experiment with the very, very large distributed network. None of the leading suppliers of solutions in this space who are willing to bid take financial and completion risk around the delivery came up with that architecture, but they are in the business of actually delivering things, making it work and then getting paid; they are not in the business of producing reports.

  Mr Cayton: Could I add, again, perhaps from the perspective of the Care Record Development Board, because the point that you raise, of course, is exactly right. There is nothing more designed to raise people's anxiety than the kind of story that I, like everybody else, heard on the Today programme or read in the newspapers this morning. As I was coming here it was a pretty heart-sink kind of moment to hear exactly that story coming out. What we have certainly always argued is that public trust in this system is fundamental to its success, as, indeed, is clinical trust, and I do not think any of us would be, as Richard has already said, remotely sanguine about the fact that we have cracked this, although I have to say that we have continued to deliver and to solve quite difficult debates and problems against a pretty relentless barrage from those who do not think this is the right way to go. What I would want to say about the confidentiality and security issues is, first of all, that we are continuing, as Gillian said, to improve our control and management of those in the NHS through improved support for Caldicott Guardians, the development of information governance rules and structures. The Government has already announced that it is establishing a National Information Governance Board, which is being supported by the BMA and many others, but really the problems about information governance are about sociology and not about technology; they are about human error, as I suspect the issue with the junior doctors database was, and they are about human wickedness and about people actually deliberately doing bad things with data—stealing it, and so on—but there are over 45 laws that apply to data management, confidentiality and security, there are seven codes of conduct, there are 11 sets of standards and guidelines, and those apply now and they will apply in just the same way with an electronic system, and we have been supporting the Information Commissioner in his bid to increase the penalties for people who maliciously steal and misuse data.

  Q33  Charlotte Atkins: Have any other countries developed a similar system—either the one that you are suggesting or, in fact, a local distributed database as is suggested by the Computer Society?

  Mr Granger: We have the misfortune of being first out of the gate with quite a lot of what we are doing, and different countries have different challenges, but if you look at provision in large providers in the US, for example, Kaiser Permanente or the Veterans Administration, you find large central databases.

  Q34  Charlotte Atkins: We are intending to look at those, yes.

  Mr Granger: If you look at what has been done in Alberta, you find a large central database but, in fact, set off with a fantasy of consent for the minutiae of information governance at each patient clinician interaction, and they gave up after about six months because, clearly, the doctors had better things to do with their time. If you look at the proposals that are being worked through by regional health information organisations in the US at the moment, they are about delivering HL7 standards based infrastructure to move information between health organisations, which is exactly what the Spine that we now have working in England does. Some of the smaller European countries have spent 15 to 20 years developing county-based distributed systems at very significant cost, and they have had a lot more time. They have different solutions. A number of jurisdictions are currently out to tender to buy something that looks remarkably similar to that which we now have large parts of working in this country. So it is a mixed picture. The structure of the NHS is unusual compared to other jurisdictions. The arrangements we increasingly have with private sector providers of NHS care and the accreditation process we have around them being enabled to display booking information in GP practices, bookings to be made and to interface with our demographic service and security arrangements, and so on, are models about which we have had visitors from Canada and Australia frequently because they see that as a template for their own arrangements.

  Dr Braunold: The other area is that I have done a little bit of journeying inside the UK and been to look at where there are some large databases already that are giving benefits. In Scotland, for instance, there are two million patient records of drugs and allergies that are helping out of hours care in Scotland that are on a single database; in Hampshire and the Isle of Wight there is a repository which holds all of the GP records—the coded section, not the text—and discharge information from the hospitals, and results, and X-rays and letters. There is an enormous amount of information in Hampshire, for instance, on a very large repository. They have all gone for putting information into a big pot, if you like, that various places access rather than distributed choice in those areas.

  Mr Cayton: A rather extreme example, but in the Veterans Administration in the States, when they had the terrible floods in New Orleans the Veterans did not lose a single patient record because they were held on a secure database in Texas. Their patients were able to go to veteran hospitals in different parts of America and immediately receive their own patient record, whereas many other hospitals had their entire record systems wiped out. I hope our system will never need to meet that kind of problem.

  Mr Granger: I will give you an example of where we have had that kind of problem: the Buncefield oil depot fire wiped out system availability for a number of NHS institutions that had systems run by a company called Northgate for a good couple of weeks, and I understand there may have been data loss as well. We had some difficulties, which I think were growing pains, last year with one of our suppliers who you have appearing as a witness, CSC, where we had some system failures. We did not lose any data and we have, since then, doubled the level of resilience. We do not just have one back-up site and tapes, we have now three back-up sites. There are systemic risks around central systems and there are systemic risks around local systems, and one of things, I think, we need to be mindful of in this country is the mobility of the population. In London one in four patients may change PCT in a year, and having information locked into local systems does not necessarily serve them well. Across the whole country we are looking at increasing mobility of patients as extended choice comes in. We need to be able to move coded information around the country; so I think an architecture that allows an extreme level of heterogeneity of solution and tries to make that standards based. We approached the BCS and asked them if they would like to assist in the accreditation process. It is a question that we continue to work through with them, but there is a balance to strike between having everything that is one (as it has incorrectly been described) monolithic system, having a small number of systems and having massive variability and standards based interaction, because the standards are not sufficiently mature at the moment.

  Q35  Charlotte Atkins: You also decided, indeed your evidence says, not to go for any sort of wholesale replacement of existing IT systems. Is not that a change in direction from your original plan?

  Mr Granger: There is a mixture. I will be clear with you. We found it very, very difficult to replace existing systems. Brownfield site implementations are incredibly difficult. We did three of them last weekend—Ipswich, Northampton and Surrey and Sussex hospitals. You might have half a million records, 10 to 20% of which are duplicates or corrupted, that have to be cleaned up by staff in the hospital; you might have 30 to 40 feeder systems, some of which require on-line interfaces to the central system; one to 3,000 users operate over one to half a dozen sites in each trust; you have to do the implementation, switch from one system to the other, over a weekend. It is a big heavy-lifting systems engineering job. It is like replacing the core systems in a small government department or small corporation—perhaps a 300 to 500 million pound turnover organisation—in a weekend. They are really difficult to do, which is why we have had significantly more success putting in systems where things did not exist previously or overlaying new functionality. Yes, it is an evolution of what we are doing based on the engineering reality we have encountered. Where we started from in Spring 2002 was a strategy. It was called a strategy and that is what it was. It was not an engineering plan from the ground up. We found data system conversion to be challenging. So we have used a number of existing systems and upgraded them, but that is not the whole story. There are also a significant number of new systems that have been implemented.

  Q36  Charlotte Atkins: But you are going to make it more complicated by allowing GPs to choose their own software and, by so doing, are you not then building in issues with it being difficult for those systems to talk to each other and so on? You have gone from one situation to a completely different situation where anything goes.

  Mr Granger: From a simplicity perspective for people putting in computer systems that work well across multiple locations, having not too many different types of software is good practice, because when you come to test upgrades you do not have lots of moving parts to enmesh in a complex gearbox. As I said, we have already got 102 different systems that are tested to run over this Spine, so it is already a heterogeneous national IT environment in the NHS in England. We got the message loud and clear from a number of GPs that their affinity for their existing software exceeded what they saw as the value of replacement, and we listened to that. Notwithstanding that, about one in ten GP practices now has a system that had very little penetration five years ago from a company called TPP. There is not enormous liquidity in that market place, there is one dominant player. It is very complex to do the data conversion, but we listened to what GPs wanted.

  Dr Braunold: One of the biggest challenges for me when I was brought in as GP Clinical Lead to do some of the engagement work with my colleagues was that clearly we had GPs (and I speak unashamedly as one of them): is how on earth could you engage GPs about something that I think is going to be one of the greatest opportunities for health gain in my generation if we get this right? On the other hand, GPs are at the forefront of computing in the world, frankly, and the risk of losing some of that enormously rich functionality for the greater good of going to some lowest common denominator was the fear; so we needed to find a solution which would continue to engage my colleagues and make sure that they did not lose the functionality that they were enjoying as we moved forward. We engaged with the programme as Clinical Lead and said: how can we move forward on this issue? It was a really important issue to get right. The GPs System of Choice, which is the OJEC which is going on at the moment, which is an enormously important lever forward for the programme and for GPs and for twenty-first century computing for general practice, enables continued investment in suppliers that are able to meet the standards of the National Programme for IT and show a migration path against the things that the programme is to deliver. Dr Cundy, who you are going to hear from after us in the next session, who is Chair of the Joint GP IT Committee, was one of the GPs that I asked to go to do one of the evaluations of the suppliers who put in to be part of that OJEC. Unlike some of these European OJEC things—those things are usually trying to bring it down to one person to win—this was not an exclusive tendering. It is intended to be open to anybody who wishes to take part who can meet the standards, and as long as they can meet the interoperability standards and the standards that we require for interoperability and a pathway towards integration, then they are welcome to join in, and I am sure you will ask him some more about GPSoC, which has had full, wholehearted support from all parts of the GP economy.

  Chairman: We are now going to move on to some questions about timing and timescale. It might be appropriate if I mention at this stage that we are about six minutes away from what we thought would be the end of this session, and in the light of what is in front of me and around the table, that is not the case. I wonder if I could ask for sharper questions. I understand the need for you to have your say, but sharper questions and sharper answers.

  Q37  Jim Dowd: You have just stolen my line. I was going to say the whole of the IT project is running behind time and so is this session of the Committee! In part of the evidence it says, "The transformation from paper to digital information will take place gradually up to 2010 and beyond." That sentence is impenetrable. What the hell does it mean and what is the significance of 2010? If it is gradual to 2010, what will it become afterwards?

  Mr Granger: If I could just say one thing as a matter of record. It is inaccurate to state that the whole of the programme is late. That is not true. Some of the programme is late, some of it is on time and some of it is early, and that information has been available and certainly the clerk of your committee had some information to that effect into the progress we have actually made.

  Q38  Jim Dowd: Can you now answer the question that I asked you?

  Mr Granger: Getting hospital doctors' paper-based notes on to computers, for example, or structured communication between hospitals and GPs, requires a level of consensus from the end-user community which cannot be ignored or ridden rough shod over. So, we will not have a paperless NHS for a long time, in fact, we may never have a paperless NHS, because it may not be worth computerising and going to a paperless environment for absolutely everything that we do. Less and less paper is circulating in the NHS. So, if you go to hospitals that have got—

  Q39  Jim Dowd: That is what it says. It does not say it might never be completed, it says it will completed but it is vague about when it will be completed. Are you saying this characterisation is just inaccurate?

  Mr Granger: No, I am saying it is gradual. Most of what we set out to do in 2002 will be completed by 2010, but during that time a number of other things are now being computerised as well.