Health privacy … breaking news …

December 1st, 2006 at 15:29 UTC by Ross Anderson

The Chief Medical Officer, Sir Liam Donaldson, has written a letter to all GPs and hospital medical directors telling them that if patients try to opt out of the central collection of their medical data, the Secretary of State must be told. This follows a campaign that I’ve been helping and that has attracted strong support – in the press, from GPs and from public opinion.

This letter orders GPs to break patient confidentiality – and apparently for the noble purpose of news management. I understand that at least one GP will be reporting Sir Liam to the General Medical Council. It is entirely up to the patient to decide whether to send an opt-out letter to their GP, to Ms Hewitt, or to both. It is not for a civil servant – even a very grand one like Sir Liam – to unilaterally override the wishes of those patients who decide to write to their GP but not to Ms Hewitt. (It’s also somewhat amusing as, only a month ago, officials were telling patients who tried to opt out that their GPs would decide whether to upload data.)

Developing …

Entry filed under: Legal issues, News coverage, Privacy technology

28 comments Add your own

  • 1. Ross Anderson  |  December 2nd, 2006 at 10:15 UTC

    Donaldson has been fiercely criticised by GPs and others – see story in the Guardian today. There’s also a story in the Daily Mail (p2, not in the online version).

    About 11 last night – after the Guardian and Mail had gone to print – the Department of Health released the letter with which it’s responding to opt-out requests that use the text suggested by the Guardian. This basically tells patients to get lost. The civil servants exploit some minor inaccuracies in the Guardian letter (which I mentioned at the time – see note 1 here but also make a number of material misstatements. This kind of nitpicking is about what we’ve come to expect from the Department of Health, who are clearly rattled.

    If you want to opt out of NHS central data collection I’d suggest you use the properly drafted letter available from and send it to your GP rather than to the Secretary of State.

  • 2. Ross Anderson  |  December 3rd, 2006 at 12:13 UTC

    Story still bubbling nicely away on page 2 of today’s Sunday Telegraph

  • 3. .$author.  |  December 4th, 2006 at 09:00 UTC

    [...] Während in Deutschland wiedereinmal nur die “bizarren Datenschützer” und “Computerfreaks” vor den Konsequenzen der uneingeschränkten Datensammlung warnen, gibt es in Großbritannien auch Presseberichte über die Weitergabe der Gesundheitsdaten. Und eine Kampagne, einfach nicht mitzumachen.. [...]

  • 4. Ross Anderson  |  December 4th, 2006 at 09:58 UTC

    Today’s Guardian continues the story (see also here). Meanwhile, a straw poll conducted by a friend at the BMA of a number of GP practices reveals that every one of them has at least one dissenter!

  • 5. Ethical Hacker  |  December 4th, 2006 at 13:49 UTC

    One question, are the telecommunications lines between the data centres that host our medical records encrypted/decrypted? (including the backup sites?), and how do they share the keys!?, one would guess they don’t, and are therefore our medical information, one conjectures, in the hands of the security services anyway.

  • 6. Ross Anderson  |  December 4th, 2006 at 15:04 UTC

    This is how the whole story started back in 1995 – the DoH said it would not encrypt the NHS network ‘because there are no experts on encryption in the UK’. The BMA called me in to investigate. It turns out that encryption is the least of your worries. The government controls the data centres in which your records will be kept, so they have no need to do wiretapping. The N2 contractor, BT, says there will be encryption, but this is irrelevant to privacy – if anything it’s harmful, as it’s there in order to confuse the public. If you criticise BT for running insecure health systems in London their response is a list of all the crypto, firewalls and other goodies that they have put on their network. The security issue isn’t outsiders, but insiders; it’s that only the ten people who work in your GP’s surgery should have access to your records, not the 1,000,000 people who work for the NHS

  • 7. Ethical Hacker  |  December 4th, 2006 at 15:15 UTC

    Isn’t RBAC and PKI meant to solve all those issues? :-) What about the value of penetration tests?

  • 8. Ross Anderson  |  December 4th, 2006 at 23:36 UTC

    Blogged by Willian Heath, Tim Worstall and Dr Crippen

  • 9. Ross Anderson  |  December 5th, 2006 at 08:43 UTC

    Today it’s the Mail and the Guardian. Oh, and we’re all over the blogs

  • 10. RichB  |  December 7th, 2006 at 20:58 UTC

    You probably want to read this speech. It describes essentially the plans Google have for providing a portal to allow an individual to manage their medical data and share it with professionals.

    This stuff is still in development, but Adam Bosworth, the author, has a long track record of successful, ground breaking software development. The questions around privacy and uptake are obvious and intriguing.

  • 11. Ross Anderson  |  December 10th, 2006 at 09:47 UTC

    There’s a mention today in the Telegraph (there was a much longer piece in the Mail yesterday too but it didn’t get into their online edition)

  • 12. igb  |  December 10th, 2006 at 10:11 UTC

    Although involving a GP in the cross-fire is the sort of thing you might want to check with them informally first, one thought does occur to me. What would happen if you wrote a letter to your GP, stating that you believe that uploading your records to central government is against your wishs, and marking the letter itself as part of your medical records? Where would Liam Donaldson stand then.

  • 13. Ross Anderson  |  December 10th, 2006 at 10:29 UTC

    The opt-out letter we’ve made available at instructs the GP to file or scan it into your records. If he then ignores your instructions by uploading the lot, he creates evidence of his ethics violation.

  • 14. Countess of Mar  |  December 10th, 2006 at 18:33 UTC

    I wrote to Patricia Hewitt and sent a copy to my GP early in July 2006. I had the ‘I’m fobbing you off’ latter from Lord Warner at the end of October.
    I saw my GP last week. He is delighted – I am to be his guinea-pig.
    Keep up the good work!
    Margaret Mar

  • 15. Ross Anderson  |  December 11th, 2006 at 17:44 UTC

    We have coverage today in Eurosocap

  • 16. Ross Anderson  |  December 12th, 2006 at 10:59 UTC

    … and today there’s the Telegraph

  • 17. Peter Davies  |  December 13th, 2006 at 17:41 UTC

    BMJ news item about this and my response to it.

    I think word of the spine may soon spread wider.

  • 18. Peter Davies  |  December 13th, 2006 at 21:07 UTC

    Ian Dale on some of the people who may want medical information for nefarious purposes

  • 19. Toby Stevens  |  December 13th, 2006 at 22:34 UTC

    My GP – who has always been top notch – has not only added the appropriate Read code to my record, but has responded with a copy of Sir Liam Donaldson’s letter with the words “I DIDN’T!” written next to the CMO’s instruction to inform him of the request. At least there are still some thinkers out there… :)

  • 20. Ross Anderson  |  December 15th, 2006 at 11:14 UTC

    The Telegraph reports criticism from the BCS of CfH (which doesn’t seem to have made it to their website yet)

  • 21. Ross Anderson  |  December 15th, 2006 at 19:02 UTC

    Here is the BCS report. Many juicy bits including ‘The NPfIT is ultimately intended to provide vastly increased amounts of patient data for secondary purposes, including NHS management, planning and research. So although the associated confidentiality issues have been with us as long as electronic patient data has been available in significant quantities, the requirement to tackle them is now more urgent than ever. People using patient data for secondary purposes should obtain patient consent to use personally identifiable data or should only be able to use anonymised/pseudo-anonymized data’

  • 22. Tom Griffin  |  December 18th, 2006 at 09:57 UTC

    I fully support those GPs who are concerned at the breach of patient confidentiality that is latent in the government’s request to upload patient data.
    I would like The BMA to stand fast against the government and consider piloting their own alternative medical data portal site for holding essential UK patient data with Google. Essential data being allergies, penicillin resistance, GP’s contact details accessible only by medical professionals. Requests for more detailed information have to be made to a patient’s GP, Thus ensuring the GP remains the gatekeeper to more sensitive medical data.

    Yours sincerely
    Tom Griffin

  • 23. .$author.  |  December 18th, 2006 at 10:11 UTC

    [...] For more, see, and my previous blog posts here, here and here, and our work on children’s databases (children’s safety and privacy might be particularly at risk from the proposals, as I explain in the debate). [...]

  • 24. Peter Gardner  |  December 18th, 2006 at 19:52 UTC

    My main reason for objecting isn’t actually the security issue since I don’t have much of a medical record anyway. But I do object to this nanny state telling me that my records should be uploaded because it would be useful for a doctor who NEEDS to treat me. Don’t I own my own body anymore?

  • 25. Dave  |  January 21st, 2007 at 19:20 UTC

    The prob with not having much in the record just now is that it might not stay that way.
    Chances are the doctor will not have the time to read your medical records to get the info.
    As for owning your own body. There are people such as Tam Fry, the chairman of the Child Growth Foundation that think children should be forced to be weighed for research. In his words:
    “The Social Care Act says that when there is an urgent need for medical information it can override an individual’s right to refuse.”
    If they can force children to d this so they can get their stats, do you think they will care about your data? CfH will have all the info they need.

  • 26. Robert Robertson  |  May 18th, 2008 at 07:13 UTC

    behind you 100%. Glad to see Christopher Booker also backs you on p23 Sunday Telegraph May 18th. He directs us to http://www.TheBigOptOut but got an error message when I tried to do so. Where else can I get copy of the letter (updated or not)? Last year I notified my GP, who agreed with me but this was before your letter and I want to send that in addition now. Please advise or copy letter to my e-mail address. Thanks.
    P.S. I know Joanna Lumley is anti ID & probably would support this too. Try & get a copy to her if you have a contact address.

  • 27. Ross Anderson  |  May 18th, 2008 at 11:34 UTC


  • 28. james percival barlow  |  May 18th, 2008 at 16:27 UTC

    In view of the Government’s lamentable
    {and wasteful record in I.T.attempts} I would not agree to like proposals if
    offered to my Veterinary Surgeon.

Leave a Comment


Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


December 2006
« Nov   Jan »