Privacy considered harmful?

January 16th, 2013 at 10:08 UTC by Ross Anderson

The government has once again returned to the vision of giving each of us an electronic health record shared throughout the NHS. This is about the fourth time in twenty years yet its ferocity has taken doctors by surprise.

Seventeen years ago, I was advising the BMA on safety and privacy, and we explained patiently why this was a bad idea. The next government went ahead anyway, which led predictably to the disaster of NPfIT. Nonetheless enough central systems were got working to seriously undermine privacy. Colleagues and I wrote the Database State report on the dangers of such systems; its was adopted as Lib Dem policy and aspects were adopted by the Conservatives too. That did lead to the abandonment of the ContactPoint children’s database but there was a rapid u-turn on health privacy after the election.

The big pharma lobbyists got their way after they got health IT lobbyist Tim Kelsey appointed as Cameron’s privacy tsar and it’s all been downhill from there. The minister says we have an opt-out; but no-one seems to have told him that under GPs will in future be compelled to upload a lot of information about us through a system called GPES if they want to be paid (they had an opt-out but it’s being withdrawn from April). And you can’t even register under a false name any more unless you use a stolen passport.

Entry filed under: Legal issues, News coverage, Politics

12 comments Add your own

  • 1. helen  |  January 16th, 2013 at 10:24 UTC

    An academic article about how a woman is denied access to a GP for objecting to these type of databases. http://www.ingentaconnect.com/content/rcgp/bjgp/2013/00000063/00000606/art00022

  • 2. They'reLowerThanVermin  |  January 16th, 2013 at 14:41 UTC

    So why are they doing this – cui bono, and how?

  • 3. Ross Anderson  |  January 16th, 2013 at 14:43 UTC

    Coverage in The Register

  • 4. helen  |  January 16th, 2013 at 16:22 UTC

    Its official in black and white from Bucks PCT any patient who objects to this database and the use of their data is to be denied access to GP services.

  • 5. Tom Welsh  |  January 16th, 2013 at 17:41 UTC

    “we explained patiently why this was a bad idea”.

    As Kipling so effectively put it,

    “Then the Gods of the Market tumbled, and their smooth-tongued wizards withdrew
    And the hearts of the meanest were humbled and began to believe it was true
    That All is not Gold that Glitters, and Two and Two make Four
    And the Gods of the Copybook Headings limped up to explain it once more”.

  • 6. Dave Walker  |  January 16th, 2013 at 19:04 UTC

    The pretty much unique threat and practice model of healthcare usually results in a fairly pragmatic approach of “authenticate and authorise users hard, keep record access authorisations very open for practitioners, apply hard integrity and version control mechanisms to records, audit record access to within an inch of its life (and have a separate audit infrastructure with ‘all the usual good stuff’ of evidential integrity preservation, segregation of duty, etc), and allow patients to not be involved in the scheme if they don’t want to be, meaning their records don’t get uploaded, but they accept the attendant risk associated with less efficient access”.

    Further discussions around whether segregation within a record for some classes of ailment is appropriate, can be both well-informed and spirited, but rarely result in agreement.

    However, the approach I heard proposed at the BCS Health Informatics Congress last May, fails to meet a good many of the recommendations above. The most interesting presentation I attended included the comments that GPs primary concerns on record availability, and directions / mitigations, based on findings from this approach being taken in other countries are (with some of my thoughts in brackets):

    * provision of 3rd party info
    * whether the patient understands the record – 75% say they do (I note that nothing was said about this assertion being tested)
    * security, confidentiality – “hacking very unlikely if it’s a distributed database” (“that old chestnut” again)
    * patients being exploited, eg by companies – warnings on registration, switch off if coercion such as domestic violence etc (no evidence of thinking about duress and consequence)
    * patient recorded entries – start with structured entries – clinical governance issues
    * record availability will encourage litigation – no evidence

    Also, a further couple of speakers I heard, mentioned “…and this all has to be secure” as an apparent afterthought immediately after expounding at length on policy elements which put huge risk on confidentiality and integrity, and without mentioning enlisting the help of external expertise.

    I’ll draw a veil over the concise version of my opinion on what was suggested, as Light Blue Touchpaper is a polite blog; but suffice to say, the element in the proposed approach which really stood out for me, was that the intention is for a patient to be able to access the full copy of their medical record, or the medical record of someone for whom they are the designated carer, at any time, from anywhere and on any device, authenticated with a 4-digit PIN.

    Nonetheless, there’s a way to deal with this – although GPES may prevent it working. Still, try this:

    Everything in the proposed new NHS model begins with the assertion that the patient owns their patient record. The NHS has a seemingly lesser “duty of care” as a data custodian.

    So, as the owner of my patient record, I will take a copy of it as soon as I find out it’s been uploaded, host it on my own infrastructure with authentication and authorisation mechanisms (and, indeed, audit mechanisms) that I deem appropriate, and then send a letter to the NHS to the effect that as the owner of my medical data, I am terminating their contract as custodian of said medical data, and require them to delete all copies of it that they hold. I will also enclose a set of instructions and credentials which will enable them to access my medical data, as hosted more securely on my infrastructure, as they may require.

    Fortunately, Dame Fiona Caldicott weighed in to the effect that she was putting together a working group to review the proposals described at the Congress; I saw the associated website go up on schedule a couple of months later, and while I expect it has returned its findings by now, I haven’t been in a position to read them yet…

  • 7. Philip Hands  |  January 16th, 2013 at 21:34 UTC

    This reminds me of a paper by Les Hatton, about how the Welsh health system has approached this problem, on a tiny budget, doing the right thing (leaving patient records at the patient’s GP, and only allowing access as needed, with cnsent being sought):

    http://www.leshatton.org/2009/03/how-to-build-successful-complex-software-systems/

    of course, I’ve no idea if the welsh thing actually worked out properly in the end, but it’s interesting that England is still planning on having a big database, but now they want to lose it in the cloud so when it goes missing it’ll be someone else’s fault.

  • 8. No No No  |  January 17th, 2013 at 10:44 UTC

    Having experienced many, many problems with the NHS regarding data protection issues I will never agree to this. We can refuse to allow sharing of our data via this new GPES for a lot of things – I lodged my refusal of consent a long time ago and will at the appropriate time check that this is being upheld. Too many in the NHS do not have a clue about data protection, patient consent or refusal of consent and confidentiality. We are supposed to trust people with our data who say, ‘it is okay, I work for the NHS so you can trust us with your data’. Oh yeah, I don’t think so. If I cannot trust them with my data I will most certainly not trust them with my health.

    I have opted out of almost all NHS services because of this and will not be intimidated into this. What as a nation are we all thinking about? The government is supposed to be representing the people not forcing us into giving up our rights to privacy and confidentiality concerning our personal and sensitive data.

  • 9. Ross Anderson  |  January 18th, 2013 at 06:30 UTC

    We had a piece on all this on Newsnight last night. Here’s the program website and here’s a link to iPlayer (which will let you watch the program for a week from any UK IP address). I argued that anonymisation doesn’t really work and the government’s spokesman, Sir John Bell, agreed.

  • 10. Ross Anderson  |  January 18th, 2013 at 11:56 UTC

    And now there’s this!

  • 11. No No No  |  January 18th, 2013 at 13:32 UTC

    Well done Ross for highlighting vital issues in this programme. Anonymisation in the NHS is the biggest joke out. This is just some of the data that is shared in the NHS and with other organisations and so on under the guide that the data has been anonymised:- date of birth, postcode, NHS number, gender, diagnosis, treament, hospital number, GP code, consultant code and on and on and on. So it is absolutely clear that we are being lied to about anonymisation. Staff at all levels in the NHS do not understand the damage that is done when our medical data is shared behind our back for purposes that we are not aware of. We must be able to refuse consent or opt out of these databases and projects. The NHS must have to tell us up front about for example, HES and SUS and GPES and make it clear that we can opt out, how to opt out and not treat us like pariahs when we do opt out.

  • 12. Graham Seaman  |  February 9th, 2013 at 18:57 UTC

    To No No No: you do not have the right to fully opt out of this; the Information Governance Principles on http://www.ic.nhs.uk/gpes are quite explicit both that your right to opt out is for quite a narrow range of the uses, and that an opt-out can in any case be completely overridden (eg footnote 16). It’s amazing how much of this document is dedicated to explaining ways in which they can ignore or evade opt-outs.

    And it’s been given to Atos to manage. Atos! Words fail me.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

January 2013
M T W T F S S
« Dec   Feb »
 123456
78910111213
14151617181920
21222324252627
28293031