Is self-policing enough to stop NHS records being viewed in India?

It’s quite a claim: to be Oracle’s single biggest customer. Oracle’s customers in the UK alone include the Department for Work and Pensions, which pays out more than £100bn a year, and HM Revenue and Customs,which collects...


It’s quite a claim: to be Oracle’s single biggest customer

Oracle’s customers in the UK alone include the Department for Work and Pensions, which pays out more than £100bn a year, and HM Revenue and Customs,which collects about £500bn.

But NHS Shared Business Services also has some big figures in its marketing arsenal. Annually it: 

- processes £29bn of payments 
- recovers £10bn of NHS debt 
- spends about £6bn through e-procurement. 

It’s the main supplier of payroll services to the NHS.

SBS a 50:50 joint venture between Paris-based Steria and the Department of Health. One reason for its success is that it does much of its work in India where costs are low. Steria employs 19,000 of whom about 5,000 are in India, based at Pune and Noida.

Why isn’t SBS even bigger than it is? 

It’s remarkable that SBS isn’t even bigger than it is. When the public sector net debt is about £950bn, why don’t most NHS trusts pay their staff through the SBS shared services model? Why don’t many more trusts give SBS their back-office processing work? 

Steria says that SBS will save the NHS £224m over 10 years. It should be more, a point made by John Neilson, SBS’s managing director. 

Indeed David Nicholson, the Chief Executive of the NHS in England, wrote to trust CEOs in 2009 asking them to justify keeping their corporate services in-house.  

“Where corporate services are currently retained in-house, I would encourage NHS management boards to be clear that the decision to retain them represents better value for money than alternative options such as NHS Shared Business Services, or other shared service or outsourcing solutions,” said Nicholson.

Media controversy as NHS work is carried out in India 

But the media has raised questions about whether any NHS work that involves medical records or appointments should be handled in India, where legislation covering data protection is not as it is in the UK.

“In a move that has been labelled ‘cheapskate’ by furious critics, a senior Health Service official has suggested saving money by sending swathes of administration work to Delhi, Bombay and other cities..

“[Critics] said the plan could put people’s confidential medical records in danger …the proposal comes despite a scandal two years ago when the confidential medical records of patients at one of London’s top private hospitals were sold on by Indian IT staff.”

Health records for sale?

ITV1’s Tonight programme revealed that undercover reporters were able to buy health records for as little as £4 each from a private hospital in London. The records had been processed by IT companies in India, said the ITV programme. It did not name any of the companies. 
In a separate expose, the Sunday Times reported last April that the “NHS is sending millions of patient records and confidential medical notes to India for processing — despite a pledge by Labour that personal information would not be sent overseas”.

It continued: “It is the first time that databases of names, addresses and NHS numbers of patients have been sent abroad, along with private information about medical appointments…

“Although companies handling the records in India said security was paramount, there is a risk of patients being identified if the NHS numbers are matched with anonymised clinical notes carrying NHS numbers, already being sent to India by more than 30 trusts.

“Typically, a set of clinical notes will be based on a consultant’s findings during a session with a patient, which he will read into a voice recorder during or after the appointment.

“The recording is then transferred to a computer and sent to India, where it is transcribed. One source involved in processing the information said patient names can crop up during the appointment and may then inadvertently be included with the clinical data.

“Workers in India are also producing letters for patients with appointments for cervical smear tests and breast screenings."

The article said that pilot schemes for NHS offshore transcription services began more than four years ago and have been expanded. The Royal Free hospital in London, the Derby hospitals trust and the Newham University hospital trust are among those sending clinical notes overseas.

The Sunday Times added that the transfer of primary care trust records was being handled by NHS Shared Business Services whose spokesman said information sent to India did not include confidential clinical records, but only patients’ names, NHS numbers and home addresses. 

Security was very strict in Pune and the company complied fully with data protection laws, said the SBS spokesman.

Would SBS attract more NHS Trusts if its activities in India were more transparent? 

When it was set up SBS promised much and has delivered much, though it got off to a shaky start. In 2007, two years after it was set up, only 39% of SBS’s NHS customers said they would recommend it. A year later the figure had jumped to 86%.

A report by the National Audit Office in 2007 said that SBS had proposed to potential customers “ambitious” guaranteed initial gross savings of at least 20% on existing costs and had further guaranteed annual reductions of two per cent. 

On this basis it’s hard to argue with the rationale behind the setting up of SBS. Particularly in this financial climate the NHS needs the savings SBS brings. It is also worth noting the industry awards SBS has won.

In 2009 it added to its client list:

- Derby City Primary Care Trust 
- Derbyshire County Primary Care Trust 
- Derbyshire Mental Health Trust 
- East Midlands Ambulance Service 
- East Midlands Strategic Health Authority 
- Newham University Hospital NHS Trust 
- South Downs NHS Health Trust 
- Brighton and Hove City Primary Care Trust
- Clatterbridge Centre for Oncology

But why not many more? 

Does work in India limit SBS’s success?

It’s conceivable that the controversy over whether any NHS processing should be carried out in India is a limiting factor. Indeed NHS trusts may have to justify the transfer of their NHS processing work to India.  

Last year GP Paul Thornton asked NHS Derbyshire County, under the Freedom of Information Act,  to substantiate that the processing of sensitive medical information outside the EU was “lawful and particularly that it is in accordance with the Data Protection Act”.  

PCT falls short in its FOI answer 

The PCT tried to be helpful in its answer. But it fell short of giving Thornton the assurance he’d sought:  authoritive documentation to substantiate the claim that NHS work carried out in India was lawful.

His FOI request was prompted by an article in a local newspaper, the Burton Mail, which said that Unison was collecting signatures for a petition to stop confidential records for NHS patients in South Derbyshire being outsourced to India.

Derbyshire County replied to Thornton that “no sensitive medical information will be processed by NHS Shared Business Services (NHS SBS) in its off shore services”. The PCT added:   

“Any sensitive medical information that is processed on behalf of the Trust by NHS SBS is done within its UK offices.  NHS SBS delivers services through an integrated onshore and offshore model and has offices in Leeds, Bristol, Southampton, Portsmouth and Ilford in the UK; and Noida and Pune in India. 

Data doesn’t leave the UK - it’s only accessed from India 

“The data processed in NHS SBS’ India offices includes GP registrations and ophthalmic forms. These do not contain any clinical data. Data does not leave the UK - it resides on servers hosted in the UK and is accessed from India. 

“NHS Derbyshire County has received this confirmation from NHS SBS as service providers working on our behalf.  NHS Derby City is the Primary Care Trust and lead commissioner of NHS SBS with responsibility for leading this project.”

So the PCT is giving an assurance to Thornton, based on an assurance from SBS. Is this wholly reassuring? 

Will self-regulation ensure sensitive NHS patient records remain confidential? 

I put a series of questions to SBS on its NHS work in India and, to its credit, it answered all of them - and without being evasive.  Its answers highlight the extent to which self-regulation and self-policing - trust in other words - assures the confidentiality of NHS patient data when processing work is carried out in India. 

And some GPs point out even names and addresses may be sensitive information when given to a medical services provider, and that patients will provide contact information to health workers that they will not provide to others.

GPs also say that confidentiality breaches in India cannot be enforced or policed. 

That said, SBS emphasises that its India-based staff have no access to any sensitive NHS medical information. 

My questions and SBS’s answers are published in full in a separate blog post. This is a summary:

- SBS and Steria do not have to publish any detail on what NHS information is viewed in India or what data fields can be viewed
- There is no fully independent check on what NHS information is viewable or processed in India, though SBS has checks that are completed and verified on its behalf. 


Self-regulation - in the form of ticking boxes to meet regulatory standards - didn’t work in the financial sector; it didn’t work at Stafford hospital when there were hundreds of deaths that could have been prevented; and it didn’t work at Haringey council, and within the NHS, when Peter Connelly, known as Baby P, died from repeated violence. 

Is there any reason to suppose self-regulation and self-policing will work in cases of lesser importance - when NHS records are viewed or processed in India? 

That said, SBS has a good reputation and no history of any breaches of confidentiality. More trusts should be putting work its way: it’s absurd that payroll for the NHS is still carried out by individual trusts. With cost-cutting a national priority, back-office services that can be simplified and standardized should be. 

As Peter Gershon (ex-OGC), Martin Read (ex-Logica), Nigel Smith (ex-OGC) and John Suffolk (Government CIO) have said: simplify, simplify, simplify. Complexity should not be a justification for administrative profligacy.

But there are legitimate concerns among GPs over allowing NHS records to be viewed in India. 

It would help if SBS had to publish details on exactly what fields of NHS data are viewed or processed in India. It would also be more reassuring if NHS work carried out in India were audited independently, and not by a firm appointed by SBS. And trusts should provide documentation to show how the terms of the UK Data Protection Act are being met. 

All this would be a small price to pay for the assurance that patient records will be kept confidential.



"Recommended For You"

NHS Trust loses 38,000 patient records on tape Sheffield Teaching Hospitals NHS trust hires HP to deliver patient portal