UK Government squares up to privacy campaigners over health data

Back in September the government declared that it was scrapping the hugely expensive centralised database system for health data inaugurated by the previous government and dubbed the ‘Spine’. At the time it stated, “it is no longer appropriate for a centralised authority to make decisions on behalf of local organizations,” adding that it would “explore ways to stimulate a marketplace that will no longer exclude small and medium sized companies from participating in significant government healthcare projects.”

Today prime minister David Cameron announces two particularly pertinent new proposals:

  • that all patients should be able to access their personal records online, which will require some form of centralized storage system even if no longer the Spine
  • that anonymised health data should be available to the life science industry (including health researchers, and  pharmaceutical companies)

He hopes the vast amount of health data secured by decades of the UK’s national health system will boost the multi-billion pharmaceutical industry in Britain, and that patients will benefit from more rapid access to emerging new drugs. And he will be encouraged by the EC, where the Public Sector Information Directive encourages the re-use, and even sale, of government gathered data.

However, Tara Taubman, a lawyer and privacy and data protection expert, wonders whether “giving access to medical personal data is a breach of the European regulations on informed and specific consent.”

The details of the new scheme are yet to emerge, but already the backlash is apparent. Ross Anderson, Professor in Security Engineering at the University of Cambridge Computer Laboratory, has voiced his astonishment at the proposals. “The coming debate,” he says, “will no doubt be vigorous and will draw on many aspects of information security, from the dreadful security usability (and safety usability) of centrally-purchased NHS systems, through the real hazards of coerced access by vulnerable patients, to the fact that anonymisation doesn’t really work.”

Tara Taubman points to work by Paul Ohm, associate professor of law at the university of Colorado, in his paper Broken Promises of Privacy. “Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often 'reidentify' or 'deanonymize' individuals hidden in anonymized data with astonishing ease.”

She also warns that it might be possible to deduce the individual from just the description.

What’s Hot on Infosecurity Magazine?