Opting out of the NHS Database

November 1st, 2006 at 12:14 UTC by Richard Clayton

The front page lead in today’s Guardian explains how personal medical data (including details of mental illness, abortions, pregnancy, drug taking, alcohol abuse, fitting of colostomy bags etc etc) are to be uploaded to a central NHS database regardless of patients’ wishes.

The Government claims that especially sensitive data can be put into a “sealed envelope” which would not ordinarily be available… except that NHS staff will be able to “break the seal” under some circumstances; the police and Government agencies will be able to look at the whole record — and besides, this part of the database software doesn’t even exist yet, and so the system will be running without it for some time.

The Guardian has more details in the article: From cradle to grave, your files available to a cast of thousands, some comments from doctors and other health professionals: A national database is not essential and a leading article: Spine-chilling.

The Guardian give details on how to opt-out of data sharing: What can patients do? using suggestions for a letter from our own Ross Anderson who has worked on medical privacy for over a decade (see his links to relevant research).

If you are concerned (and in my view, you really should be — once your data is uploaded it will be pretty much public forever), then discuss it with your GP and write off to the Department of Health [*]. The Guardian gives some suitable text, or you could use the opt-out letter that FIPR developed last year (PDF or Word versions available).

[*] See Ross’s comment on this article first!

Entry filed under: News coverage, Privacy technology

36 comments Add your own

  • 1. Ross Anderson  |  November 1st, 2006 at 13:06 UTC

    I didn’t in fact draft the opt-out letter in the Guardian – they did.

    There are at least three things you should be able to opt out from. First, you can opt out of having your GP data uploaded to the spine (or so ministers have promised in the past); for that, write to your GP.

    Second, you can opt out of having your address and contact details on the PDS (population demographics service – the NHS ‘address book’). This is prudent if you’re on a witness protection program, or fleeing an abusive relationship – if you don’t, then hundreds of thousands of NHS staff have access to your real name, address and phone number. If you’re the sort of person who goes ex-directory and ticks the privacy box on the electoral register, this is for you.

    Third, you can opt out of the NHS Secondary Uses Service (SUS) which stores records of all hospital treatments in the UK (this includes much sensitive stuff like abortions, and A&E treatments for drug overdoses). To do this you must invoke section 10 of the Data Protection Act and state that the availability of your hospital records to large numbers of civil servants etc causes you distress.

    This was all explained to the Guardian folks; I suppose theeir subeditors cut it down to fit the page.

    All these optouts are exercised via your GP, and it is much more important that you write to your GP than to the Secretary of State. (The chance she’ll ever be shown your letter is pretty small)

  • 2. Clive Robinson  |  November 1st, 2006 at 13:29 UTC

    Just one thing, send a copy of your letter to your local MP and ask them to take it up with Parliment.

    That way the current Sec of State cannot deny the size of the problem.

    There used to be the old rule of thumb that if five constituents wrote to their MP with a common complaint then they where “honour bound” to raise it in Parliment. However those days have changed

  • 3. Joonwoong Kim  |  November 1st, 2006 at 22:50 UTC

    There is also a news article about DNA database today. And,
    a point of view about the US’s system in the October issue of Spectrum – Dying for Data is readable.

    I wonder how far this trend of threats against personal data will go. It reminds me of the environmental issue analogy of privacy in Simson Garfinkel’s book – Database Nation.

    By the way, I’m interested in the “ubiquitous healthcare system”. Maybe the situation gets worse because of more deatils about individuals, but it might turn out to be such a good opportunity that a user can have regain the control on his healthcare information. No strong basis, but I am trying to establish the priciple and the policy of the system.

  • 4. Freebyrd Freeman  |  November 2nd, 2006 at 15:09 UTC

    NHS Medical Data Base – Government plans to put medical records on a national electronic data base. My personal view is that psychiatric files should inform the appropriate agencies if a person was genuinely potentially dangerous (to themselves or others) or if the person was in danger from others. Documentation should also inform the appropriate agencies as to the person’s level of vulnerability and need of assistance. I have very great concerns about the proposed new data base. I have seen huge amounts of paperwork concerning myself, most of it is inaccurate, misleading and open to interpretation.

  • 5. Freebyrd Freeman  |  November 2nd, 2006 at 15:10 UTC

    Complaints – One of the main problems service users have when complaining about mental health authorities is that the authorities decide the rules of their complaints procedure. In my experience there is also a tendency to penalize the complainer and be-little the complaint as being part of a psychiatric dysfunction. This site will campaign for greater accountability from psychiatric services. Their exists no independent authoriety, to protect the rights of mental health service users. No board of vistors, no independent complaints commision etc. This is clearly wrong and un-democratic, it is very easy to dis-couredge a mentally ill person from complaining. http://www.ticketytock.org

  • 6. Ross Anderson  |  November 2nd, 2006 at 22:58 UTC

    Today’s Guardian has Helen Wilkinson’s story, a piece on supplier troubles, the government plan to take our data even if we don’t consent, and a rant from one of the more outspoken medical blogs.

  • 7. Ross Anderson  |  November 2nd, 2006 at 23:01 UTC

    Sorry, missed the link – here’s the piece on the troubles of supplier iSoft

  • 8. Michael Roe  |  November 3rd, 2006 at 15:27 UTC

    Some time ago, my medical records were sent to a practise in a completely different part of the country. My GP was notified by the NHS that I had transferred to a different practise, so she sent off my records. In fact, I had done no such thing. So the next time I saw her for treatment, she didn’t have my records. (And someone who wasn’t entitled to them did).

    I think there’s good reason to not trust a NHS central authority with your records. (Error, incomptence, and insufficient protection against fraud).

  • 9. Dave  |  November 4th, 2006 at 11:12 UTC

    I tried opting out of the spine but was not allowed.
    tried preventing my address ect being up loaded after I found out how many people would have access (there are sensitive personal security reasons for this) but was denied.
    I did manage to get my opt-out of SUS and so no data can go via that.

    It also has to be mentoned that it is up to the doctor to decide if you get your data up-loaded. Bassed on my experiences that measn you are unlikely to be able to stop it. I tried this before but had my records put on a central computer where even the receptionist has “full” access. This was despite the fact I had refused to allow it. I was then refused treatment for a chronic condition go without a GP (that is still the case) to prevent my entire GP record being uploaded (they still up-loaded the info I gave the GP even though I had disclosed it and been examined on the condition that the data would remain ‘doctor-patient confidential’ and not be accessable to anyone outside the individual practice). To date, the medical group and the PCT have refused to say who has accessed it or who it has been shared with and even the Information Conmmissoners Office could not care less about finding out or preventing data being shared where the patient is ignorant of (even though they have said patients can not consent to data sharing he/she is ignorant of). It seems they can simply tell you after wards, backdate it and then share it.

    Scotland is far worse with patients even being misled into thinking that if they dont let the doc/nurse up-load whatever they want and let loads of admin staff access it (this includes if you have had an STD/STI, sexual problems, been raped/abused, alcohol/drgu problems and even if you hav had an abortion) their lifes will be at risk.

    Section 10 is not much use. I tried that with my last practice in Aberdeen, even offering to explain why it would cause me harm. It was made clear that the data would still be shared even where harm was likely to take place and no patient has the right to prevent data sharing (patients were also not allowed to prevent an Emergency Care Summary being created even though it is the right of most patients. I say most because chances are your average 11-16 year old are unlikely to be given any choice).

  • 10. .$author.  |  November 4th, 2006 at 13:39 UTC

    [...] Well, you apparently have the legal right to opt out of this “data rape”: In June 2005, FIPR developed an opt-out letter to send to the Secretary of State. People who sent this off have been fobbed off. We now recommend that you opt out via your GP. Ask your GP to enter into your record the code 93C3 (”refused consent for upload to national shared electronic record”). You can also ask for your address and phone number to be kept off the NHS internal directory, and for your hospital records also to not be uploaded to central systems: see here for details. We encourage you to opt out even if you have nothing to hide; if only people who do have something embarrassing in their records opt out, then doing so will carry a stigma. [...]

  • 11. .$author.  |  November 6th, 2006 at 02:01 UTC

    [...] http://www.lightbluetouchpaper.org/2006/11/01/opting-out-of-the-nhs-database/#comments –> [...]

  • 12. Ross Anderson  |  November 8th, 2006 at 18:07 UTC

    See the debate among health professionals that this kicked off in e-health insider

  • 13. Gavin Jamie  |  November 9th, 2006 at 10:29 UTC

    Interesting commentary in yesterdays JAMA (Journal of the American Medical Association) by the Chairman of the Kings fund and Richard Granger.

    The NHS number was developed in the mid-1990s to enable both the anonymization of medical records and the possibility of linking records held in different locations to improve the quality of care and research.

    NHS number supports anonymisation?

    If the person does not object, the personal spine information service will also contain a summary of clinical conditions and major treatments. This information will support the secondary users service that will provide anonymous data for public health and health services research.

    It is currently held that individuals do not have the right by law to dictate in what form the NHS keeps information about them, whether it is demographic or clinical information. They also do not have the right by law to object to demographic information being shared to provide them with care. They do, however, have the right to object to clinical information being shared, provided withholding this information does not pose a risk to others in the population. Individuals will be able to indicate to a clinician at any time their wish to restrict sharing their clinical information. This will include the summary care record created from the detailed care record held by their general practitioner. For those individuals who do not object, information initially will be uploaded from general practices that have reached certain quality standards and that are using SNOMED (Systematized Nomenclature of Medicine) codes.8 Patients will be informed by letter when this process is about to begin in their practice. When they next visit the practice, there will be an opportunity to review the content of the summary record, make changes, and agree what further information should be placed within it. With regard to the detailed care record, patients can ask that certain information should not be recorded in their record; however, clinicians do have a duty to keep proper records and therefore some negotiation may be necessary. Particularly sensitive information may be held in a sealed envelope within the electronic record, which can only be accessed with the explicit permission of the patient.

    While no individual has the right to opt out of the demographic record, he or she can opt out of all aspects of the summary care record and can request that all detailed care records held by clinicians or health care centers be held nondigitally in paper format or in nonconnected electronic systems (Table). A Care Record Guarantee, a guarantee from the NHS to each citizen, has been issued9 and will be updated every 6 months as experience accumulates. The main issue at present concerns the secondary use of information. As currently planned, it will be possible for each citizen to indicate whether he or she wishes information from their summary care record to be transferred, for example, to disease or illness-based registries, or to be made available to the pharmaceutical industry. Such information can be made available after anonymization without the individual’s specific permission, although each person will have the right to object to his or her information being anonymized in the first instance.

    The complete opt out for clinical information seems quite strongly supported. If you have a subsciption try the direct link.
    NHS users should be able to get Athens access through the NHS library.

  • 14. Bill  |  November 21st, 2006 at 09:39 UTC

    I have no doubt that if there is widespread usage of this opt-out then the government will simply ban it.

    So is there another way of getting around this problem? Perhaps by taking ownership of our own medical records?

    Currently when you change GPs you new GP requests your medical records from your old GP who then send them on. So could we get hold of our own records by faking one of these requests?

    Many of us have access to computers and laser printers and it wouldn’t be too hard to knock up a convincing copy of one of these requests.

    So are there any friendly GPs out there that could publish one of these documents, and explain the transfer procedure (i.e. does the old GP have a way of confirming that the new GP is real?)

    Obviously this will not be appropriate for most people, but I’m sure it would be welcomed by those of us that really value our privacy, and don’t have any nasty conditions that an A&E really should know about if we’re dragged in unconcious.

  • 15. Peter Mitchell  |  November 21st, 2006 at 10:53 UTC

    The offical DH line is that we have no power to stop our summery records being uploaded to the Care records Service, though as a concession we can stop them being visible to other NHS professionals.

    The problem with this ‘concession’ is that this doesn’t solve my problem, which is that my medical record will become available to officials outside the NHS. Such officials wouldn’t use the standard NHS professionals’ methods of authorised access; they’d use back doors installed for the purpose and made DPA-compliant by a statutory order (eg under s.38). Thus, if I opt out of sharing my record with clinicians, I lose all the benevolent aspects of the Spine and still cannot protect my record from the principal threat. It’s no solution at all.

  • 16. Dave  |  November 21st, 2006 at 15:20 UTC

    I moved to Scitland from England and I was wondering if my info at my practicies in Enlgland would be uploaded. Does anyone know?

    I am trying to stop my records being shared in Scotland but from the way things are going it seems patients north of the border have even fewer rights.

    When you start at a new practice they ‘request’ your GP records and this is done via an agency. I say ‘request’ because you are not allowed to say no. I tried that and the GP obtianed the records then tried to share them with staff at the practice even though I had refused to allow this and only been examined if the data was ‘doctor-patient confidential’. As far as he was concerned how the data was collected by other doctors/nurses was not relevant and the end product such as you disclosing the info or allowing the doctor to touch intimate body parts, even those of the oppisite gender (you would be suprised how many patients dont know they have the right to a same gender doctor/nurse if they want one or simply dont get told that it is part of their basic rights) justifys the means of collection.

    Relying on the doctor/nurse to protect your privacy seems to be like trusting an MP, not a good idea which is why I am trying to find a solicitor to go to court to stop my data being uploaded (list of good solicitors would be handy if anyonme knows any).

  • 17. .$author.  |  November 27th, 2006 at 23:08 UTC

    [...] On Wednesday we are launching a campaign to persuade patients to opt out too. The inaugural meeting will be from 7 to 9 PM in Imperial College, London. For background, see recent posts on opting out and on kids’ databases. [...]

  • 18. .$author.  |  November 28th, 2006 at 12:07 UTC

    [...] You have no legal right to have your data withheld from the Spine. However, some concerned GPs are considering withholding your data should you request it. Ross Anderson, a Professor of Security Engineering at Cambridge University, has described how, via your GP, you might opt out of three aspects of the Spine. He has also some published some history behind the project. [...]

  • 19. Ian  |  December 3rd, 2006 at 23:47 UTC

    Whatever the problems an “ordinary” person has in keeping his medical records confidential, I feel confident that some “VIPs” will have a way around it. Does anyone seriously believe, for example, that the controversial vaccination records of Tony Blair’s youngest child will be accessible by thousands of NHS staff?

  • 20. Dave Walker  |  December 4th, 2006 at 10:03 UTC

    From yesterday’s Torygraph, it appears that the NHS are now trying to head-off folk who try to opt out by stating that their requests are “not genuine” if they make reference to the clause of the Data Protection Act associated with “substantial and unwarranted distress”.Noting the nature of the care record which will be stored, folk who have allergies which are life-threatening if stimulated may nonetheless be able to claim genuine “substantial and unwarranted distress” – after all, the primary care record is only “invaluable” if it can be quickly proven at point of patient treatment not to have been tampered with. Otherwise, a new modus operandi for murder arises – hack a subject’s primary care record, note any serious allergies to specific medicines, delete this allergy information from the care record, injure the target in such a manner that they are rendered insensible and likely to have the allergy-provoking medication administered…

  • 21. .$author.  |  December 5th, 2006 at 15:31 UTC

    Totalitarianism, the new Black…

    Everyone living in the UK will by now have heard about the proposition to introduce a national identity card. …

  • 22. Rob  |  December 5th, 2006 at 18:44 UTC

    Oddly enough, I raised this with my GP the other week. The conversation went something like this:
    Me: “So, Doc, what do you know about the spine?”
    Him: “It’s fucking terrible, you need to write me a letter.”

    What really disturbed me was when we sat down and went through my records. There was stuff in there relating to jobs I’d held 20 years ago. For Christ’s sake, how happy am I supposed to be about some random kid with a network login being able to root around in my life like it was an underwear draw?

  • 23. Dave  |  December 5th, 2006 at 23:03 UTC

    I live in Aberdeen and was taken off a practice list because I refused to consent to data sharing the GMC, PIAG and NHS said I can prevent.
    When I took this up with NHS-Grampain complaints team they were far from botherd about it because as far as they are concerened patients have no right to restict access. If the GP, nurse or even receptionist wants to access ithe info, patients have no right to prevent this. This includes all medical data, such as if you were raped, abused, had sexual problems or anything else. Whats more the GP is allowed toi tell some of the admin staff everything about you, regardless of the harm this will cause you. If you refuse to allow the sharing, you can be denied access to health care even if this endangers your life, again NHS-Grampain seem fin=e with that one.
    I identified doctors that were sharing data without patient consent and if (that is a big IF) the patient does know but refuses to allow it, the GP can refuse to provide treatment. When I informed NHS-Gramopain that this was casuing deaths (there are likely to be several at other practices to), this again was ignored and they simply asked the accused if they did anything to breach confidentality or cause the deaths of patients.

    NHS Garmpain has made it clear that no patient should trust their GP with their datta and the GP will tell others and they want us to put such information on a national database so others can access it without our consent? Personally I think they must be lliving on another planet!

  • 24. .$author.  |  December 18th, 2006 at 10:11 UTC

    [...] For more, see TheBigOptOut.org, nhs-it.info and my previous blog posts here, here and here, and our work on children’s databases (children’s safety and privacy might be particularly at risk from the proposals, as I explain in the debate). [...]

  • 25. rosie  |  December 19th, 2006 at 12:19 UTC

    I have only just realised what is going on! At a hospital appointment it became obvious that the records they had on a computer print-out were entirely inaccurate.When I pointed this out they shrugged. I have told other relevant people including my GP who raised his eyebrows and said “Really!” but made it clear that the conversation was at an end and I had had more than my allotted 3 minutes. What can I do? And if I cannot see my own records how can I check for other inaccuracies I have moved around a lot and frequently used temporary GP services in far away places where long term treatment was initiated. I am sure that there are many gaps and inaccuracies as these records are being input by temporary clerical staff who have access to powerful and very personal information, but do not own their job and have no reason to care about what they are doing or the fact that it may influence some unknown person’s life or death in the future. Does anyone know how I can access records and how what already exists can be corrected? In my experience a computer is always believed in favour of a lowly human, especially in such absolutely authoritarian and heirarchical setups.

  • 26. Dave  |  December 19th, 2006 at 14:24 UTC

    Yo can apply to gain access to your records by writing to your practice and asking for access under the data protection act 1998. You do not need to give a reason. If you want sight of the information it can cost £10.00, photocopies are up to £50.00.

    If the info is inacurate you can ask for it to be corrected. Medical records must contain data that is relevant and accurate and must not be excesive from a data protection point of view and it is a professional requirment.

    If there is info in the records that you do not wish to be shared with others (such as admin staff or even other doctors/nurses) you should make sure this is made clear in your notes (that way you dont have to worry about some temp on min wage or someone you know finding out info you want kept private). I managed to do this with a GP in Aberdeen (who in my opinion is a godess for agreeing!).

    They should still have the paper copies from your other practices but if these are missing you could write to them for access/copies (they may not have them if it was more than 8 years ago).

    If they do not correct the records you want to make a formal complaint against the GP with the local NHS complaints team and the Information Commissonier. Make sure that you have a letter put in the records (get the practice so sign they got a copy) saying your data is inacurate but the doctors are refusing to correct it. Tis means if something goes wrong in the future you could be able to sue them for relying on data that was inacurate and you get the GP for failing to keep accurate records (assuming you survive the mistake that is!).

    You should write to any hospital you have been in and ask for the same thing. Might also be an idea to ask them to remove the data from NWCS/SUS.

    You might also want to check out the website http://www.nhsconfidentiality.org/

  • 27. Charles Torkington  |  January 7th, 2007 at 00:01 UTC

    One EMP and the whole NHS dabacle over this will be solved.

  • 28. Rosie  |  January 12th, 2007 at 14:47 UTC

    Have used your comments and constructed my own version of the opt out letter. Have forwarded a copy of this to James Eldon-Baker for someone to vet so that my ignorance is not too obvious.

    Was delighted, not only to find this site, (thanks to a small article in our local Argus the one day I bought it!) but all the information it contains really is helpful. Haven’t finsished reading it all yet as there is so much.

    So a really big THANK YOU.

  • 29. debra  |  March 8th, 2007 at 10:40 UTC

    I have read the Big Opt out letter and printed off a copy to hand in to my GP but I don’t really understand the full ramifications of what I am going to do…does it depend on individual GP surgeries? It seems a good thing to opt out but I am confused and a little intimidated by the possibility of jeopardising my access to the NHS! Can someone talk me through it..you can be as patronising as you want but be clear please!

  • 30. Dan  |  March 24th, 2007 at 21:25 UTC

    Debra, opting out of the database will not jeopardising your access to the NHS services; any NHS professional would not agree to such a move!
    I know of many NHS professionals who are unhappy with this database and its ramifications for patient confidentiality and the patient-doctor relationship.

  • 31. Jo  |  January 10th, 2008 at 18:51 UTC

    Anybody know who you should write to to opt out of the SUS?

  • 32. Richard Clayton  |  January 10th, 2008 at 20:09 UTC

    @Jo

    Anybody know who you should write to to opt out of the SUS?

    your GP, see the first comment !

    For lots more info, see http://www.nhsconfidentiality.org

  • 33. christina  |  March 31st, 2008 at 14:23 UTC

    i think people should be allowed a privat life as long as it does not interfear with work or others

  • 34. Phil Randome  |  May 1st, 2008 at 12:15 UTC

    I’ve received 2 letters & sample kit from Cancer Screening Programme in Nottingham ‘cos I was 60 recently. I live in Herts. Despite writing to my GP & completing a special pro forma my name,address,DOB & phone # has been uploaded to the NHS Spine mainframe. Hence the test kit. I’m also convinced that hospital treatment records are being submitted as well. How can I (we) stop this ? In Dec 2006 I was sceptical about the procedure whereby one could prevent medical details being gathered for the Spine that’s why I notified the GP of a false change of address & telephone #. I use a Poste Restante address.
    Do hospital records go directly to Spine effectively bypassing the GP Practice ? Is this how patient’s wishes are being kicked into the long grass ? Has anyone any answers ‘cos anyone and everyone in my surgery & nhs trust clams up when I start asking questions.

  • 35. Ross Anderson  |  May 1st, 2008 at 17:41 UTC

    This is shocking but not surprising.

    I’d suggest you post about this to the No2ID NHS blog – that seems to be the most active forum on UK health privacy issues right now

  • 36. Jack Gibson  |  May 8th, 2008 at 17:26 UTC

    Why is everyone shocked? All things have purpose. The purpose of the state is management – the undeviating control of each and every aspect of our lives. And of course Ian is right – powerful people aren’t at risk, but they don’t use the NHS anyway.

    So who actually cares? No-one. While doctors peddle the ideology of a ‘caring’ profession because it ensures control and keeps us off-guard history reveals they have always been a willing instrument of state interference, prone to moral stands only where professional interests are endangered.

    So now we do as we are told or face removal from patient lists. This is wrong. Doctors have no right to play god – morally at least – and certainly not when the taxpayer paid for their education. They should be reminded what it’s like to need the services of a medical professional. If they choose to hold a gun to our heads, maybe things won’t alter until a pattern of holding one to theirs develops across the country.

    Until then by all means continue your futile ‘debate’.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

November 2006
M T W T F S S
« Oct   Dec »
 12345
6789101112
13141516171819
20212223242526
27282930