Concerns Heightened About Opt-Out Central Database For UK Patients' Health Data

The Central Database For UK Patients' Health Data
The Central Database For UK Patients' Health Data

The purpose according to the health service is to provide the data necessary to improve the health service. But it is raising considerable concerns among privacy activists, both in the information and options provided to the public, and the ultimate use of the data.

The data itself could hardly be more personal, as an official 'guide for GP practices' explains: "The data to be extracted from GP systems for includes information such as family history, vaccinations, diagnoses, referrals, biological values (such as blood pressure, BMI and cholesterol with QOF exceptions codes) and all NHS prescriptions. Identifiers (DOB, postcode, NHS number and gender) are required to link the GP data with PCD from other care settings in order to analyse patient care across pathways."

Privacy concerns are being raised both over the way the program is being initiated, and the use of the data once uploaded. The law requires that patients be able to opt out of this process (although it could be argued that European law requires that patients specifically opt-in before anything can be done with their data). The Information Commissioner insisted to the NHS that patients be informed of their right to opt out – and that is the primary role of the leaflet.

"Needless to say," warns Ross Anderson in Light Blue Touchpaper, the Cambridge university computer laboratory blog, "their official leaflet is designed to cause as few people to opt out as possible." One of his concerns is that there is little opt-out information: the four page document contains the single sentence, "If you do not want information that identifies you to be shared outside your GP practice, please ask the practice to make a note of this in your medical record."

Anderson points to an example of how he believes the leaflet should have been written (Important changes to your medical records) which includes a written form for those who wish to opt-out. But even if the leaflet had been written in this way, he adds, "the process still won’t meet the consent requirements of human-rights law as it won’t be sent to every patient. One of your housemates could throw it away as junk before you see it, and if you’ve opted out of junk mail you won’t get a leaflet at all."

At the moment, patients have the legal right to opt out with their GP because the GP is the legal data controller. Once that data is uploaded to the HSCIC, the GP will no longer be the data controller and will have no say or authority over the data. The effect will be that patients can prevent further uploads, but will never be able to delete data already uploaded. "If you don’t opt out your kids in the next few weeks the same will happen to their data, and they will not be able to get their data deleted even if they decide they prefer privacy once they come of age," warns Anderson.

The primary purpose of the data once uploaded will be to improve the health service for all. NHS England’s chief data officer Geraint Lewis told the Independent, “The test should be about how it’s going to benefit patient care, rather than making any sweeping ideological statement that we’re not going to allow private companies to access the data. They’d have to demonstrate the same security safeguards as NHS organisations and demonstrate how it would be used for NHS care. The HSCIC never allows data to go to insurers or to be used for marketing purposes.”

But the data will almost certainly be sold on to researchers, universities and pharmaceutical companies. Once uploaded, the only further control patients will have over their personal medical data will be whether it is anonymized or not (unless specifically requested by the patient, it will not be anonymized). The patient will have no control over what is done with his or her anonymized data because HSCIC will have no duty of confidentiality – anonymized personal data is not considered to be personal data under the Data Protection Act. Furthermore, recent studies on communications metadata clearly demonstrates that anonymized information can easily be de-anonymized. Anderson's own studies have concluded "computer science has now demonstrated that the security of personal records in databases cannot be guaranteed through anonymisation procedures where identities are actively sought.”

The security concerns over the HSCIC database of personal patient information include misuse of the data by those with legitimate access to it; a large target for hackers and hacktivists; and sale to commercial third parties where, despite the comments of Geraint Lewis, it could be used for marketing purposes.

What’s hot on Infosecurity Magazine?