I have written a letter to Stephen Dorrell, the chair of the Health Committee, to point out how officials appear to have misled his committee when they gave evidence there on Tuesday.
It is very welcome that the Health Secretary, Jeremy Hunt, announced he will change the law to ban the sale of our medical records collected via HES and care.data. He acted after it became clear that although officials told the Health Committee that our records collected via care.data could not legally be sold, records collected via a different system (HES) already had been. But that is not all.
Officials also said our records would not be sold abroad, and that only coded data would be extracted rather than free text entered by GPs during consultations. Yet our records were offered for sale in the USA; the Department signed a memorandum of understanding with the USA on data sharing; and CPRD (a system operated by MHRA, the regulator) has been supplying free text for mining.
I also sent Mr Dorrell a previously unpublished briefing I wrote for the European Commission last year on the potential harm that can follow if patients lose confidence in confidentiality. Evidence from the USA and elsewhere suggests strongly that tens of thousands of people would seek treatment late, or not at all.
9 thoughts on “Health privacy: not fixed yet”
I’m not sure we should feel that reassured by Hunt’s announcement – details are lacking at the moment, and the government appears to have missed an opportunity to bring in custodial sentences for data protection offences: http://informationrightsandwrongs.com/2014/03/01/why-no-prison-sentences-for-misuse-of-medical-data/
And here’s evidence of HES data leaving the UK and being used on cloud systems:
Cloud Pro magazine
As Google have no data centres in the UK, this means the assurances at the HSC on Tuesday as rather hollow.
Here’s evidence of HES data being used for direct marketing to patients, bypassing almost all governance:
I note that both care.data & HES do not include episodes of care that have taken place in private hospitals and have been given to private patients.
This seems utterly unfair. After all, the data sets will be much the richer if all data of private patients is also included. (Disregarding of course that care.data will only contain data from July 2013 onwards. Pretty bl**dy useless for any sort of historical research but…)
I’d like to see the law changed by Hunt to include this ‘private sector’ data. He could do it at the same time as he is changing the law to stop all data of NHS patients being sold. After all, the data is all anonymised/pseudonimised. There’d be absolutely no chance of anyone “important” (royalty, politicians, sports persons etc.) being reidentified from this data… Surely what’s good enough for NHS patients is good enough for those who go private?
More evidence that HES data is moving outside UK:
Ben Goldacre has tweeted that HES data were put online, on a website that’s now taken down. He won’t identify the website in case the stuff is cached or archived somewhere.
The website was http://www.earthware.co.uk.
HSCIS have confirmed this.
There’s a cached version of the front page here:
The URL that Google has cached for access to the tool bears spelling out in full:
Non-https, arguments passed via GET operation, etc.
That now leads to an error message from IIS.
There’s now an update from earthware, stating it wasn’t live HES data.
Kind of related: someone got access to +200M consumer records of Americans by simply buying them from a data broker that forgot to check who was buying… http://krebsonsecurity.com/2014/03/experian-lapse-allowed-id-theft-service-to-access-200-million-consumer-records/ It would be kind of hilarious if it wasn’t so sad.
a couple of the links in the original blog post are dead
“offered for sale in the USA”
“supplying free text for mining”