The NHS plans to collect all patient health data from GPs and hospitals and store it in a single central database called care.data. The data cannot be stored anonymously since patient data from hospitals is to be amalgamated with their GP health records. This single central storage is generating concern from security experts – not simply as a target for hackers, but over the inevitable abuse and misuse by 'insiders.'
The biggest concern from privacy activists, however, is that the data will be made available, inexpensively, to academics and medical researchers, including pharmaceutical companies and insurance companies.
Patients are able to opt out of their GP records being sent to care.data. If they do not opt out, their records will be provided to researchers in full, unless they object to their names being included. If they do object, the records will be 'pseudonymized' before being handed over. The Out-Law legal blog notes, "Kelsey said that the names, addresses, postcodes and NHS numbers of patients would be 'stripped' from the data collected from GP surgeries... 'This data is stripped of all the identifiers ... and in their place is substituted meaningless pseudonymFelleds in order that this data can be linked with other data sets,' Kelsey said. 'Can I be categorical – no one who uses this data will know who you are.'"
It is this last statement that is being challenged. In the radio broadcast, Phil Booth, coordinator at medConfidential, pointed out that pseudonymous data is not anonymous data, and that patients can be re-identified. Matthew Godfrey-Faussett of Pinsent Masons, the law firm behind Out-Law.com, confirmed his concerns. "The rapid growth in data analytics technology fueled by the explosion in big data means that there is an increasing risk that by combination with other data sources, granular data of the type found in health records will, over time, be capable of being linked back to identifiable data subjects," he said.
In fact, a report from the Royal Society in June 2012 says very clearly, "The EU Commission should be more explicit in the Data Protection Regulation about its commitment to research in the public interest and clearer about the relative roles of consent, anonymization and authorization in research governance. In doing so, the Commission should recognize that anonymization cannot currently be achieved."
Cory Doctorow at Boing Boing goes further and suggests that reliance on the concept of pseudonymization discredits the entire security stance of care.data. "It's clear," he says, "that no one involved in the process gives a damn about privacy. These data-sets – which will be sold on the open market to commercial operators – are 'anonymized' and 'pseudonymized' through processes that don't work, have never worked, and are well-documented to be without any basis in reality."
The Information Commissioner's Office (ICO) is also concerned about the way the government is informing patients about the project. Spokesperson Dawn Monaghan told the BBC, "What it says in the leaflet [distributed to homes by NHS England] is that ... you can object to your personal confidential data leaving the GP surgery or leaving the [HSCIC] and we're not sure without further explanation on the website and very clear views whether people will understand what that means."