I have to admit, I have been procrastinating about this blog post, rather as one might hesitate on the point of ripping off a large sticking plaster. The more I hear about UK National Health Service plans for a centralised database of patient records, the more I find to be alarmed and/or angry about. There are so many flaws with the project that it’s hard to know just where to start, or how long the list will end up being. I suspect the process will be painful and annoying, but is better when done briskly – so here goes.
Let’s start with the basics: the stated aim of the NHS care.data programme is to provide a nationwide repository of patients’ health records, as input to the strategic processes of quality management and resource planning. The records are not intended to be used for patient care. That bears repeating: this data will not be used for treating patients. This raises the first fundamental question: given the long-term, macro level of the stated objectives, what is the justification for collecting identifiable data at all? As long as this data is not intended to result in individual treatment decisions at the patient level, aggregated, statistical, non-identifiable data is all that is needed.
Perhaps I should stop whining about my own individual interests and contribute my data for the greater good: more data, held centrally, will improve healthcare in the long term. If provable, that is a valid rationale – but it still doesn’t explain (let alone justify) the need to collect data in identifiable form. Nor does the accumulation of data centrally equate to the effective or timely use of that data to improve outcomes. The UK’s recent history is littered with tragic evidence of that.
This potential long-term societal benefit is not the complete cost/benefit analysis, though. The data will also be made available to organisations commissioned to provide services to the NHS. That’s a rather broad category; what the organisations will have in common is that they will pay for the data. In other words, part of the cost/benefit analysis is that the healthcare records represent a revenue stream for the HSCIC (Health and Social Care Information Centre). Here’s the price list. One thing you may notice is that, although the HSCIC says it operates on a “cost recovery basis”, the cost of providing records that include personal confidential data is actually higher than the cost of filtering the personal confidential data out. In my experience, it takes more effort to produce a selective database query than to extract whole records, so I’m not sure that adds up. Either way, the financial and commercial benefits accrued by others will come whether or not any patient care benefits materialise in the long term, and regardless of any damage to patient confidentiality.
So what of the risk to patients? The NHS’ own Privacy Impact Assessment is reported as warning of the danger of re-identification of pseudonymised data; a danger that grows with time, as the techniques of re-identification evolve. In other words, data will be disclosed to commercial and other third parties, whose capabilities to secure it are indeterminate, and in the face of a growing risk that pseudonymisation provides little or no protection. In fact, if you were a recipient of data that someone assured you was anonymised, how careful would you feel you needed to be with it?
If this reliance on pseudonymity seems short-termist, consider how much worse the picture gets when patients’ DNA profiles are routinely a part of their medical record. At that point, whether you opt into or out of care.data will directly affect not just your own privacy, but also that of your siblings and offspring.
For those interested in the rapidly-evolving research area of de-anonymisation, here is a good introductory article including pointers to existing research done by Paul Ohm, Latanya Sweeney, and Narayanan and Shmatikov. Like me, you may conclude that a record containing your date of birth, gender, full postcode and NHS number might not be very anonymous.
But what of the risk to abusers of the system? Well, NHS England is clear: those granted access could attack the confidentiality of the data by combining it with data from other sources, but “such an attack would be illegal and would be subject to sanction by the Information Commissioner’s Office”. GIven the limited powers, reach and resources of the ICO, off-shore data brokers and health insurance providers must be quaking at that prospect.
Tim Turner offers an articulate analysis, here, of some of the specious defences currently being offered to explain why we shouldn’t concern our little heads about risk.
To recap: care.data creates a market for confidential data, with questionable safeguards and very little prospect of enforcement. How about consent?
First, here is the public mailshot to households; you will notice that it is glossy in content as well as in form, and that it is based on the presumption that every citizen is opted in by default. To opt out, you have to become aware of the issue, make a decision and act on it. Among those who have expressed concern about this, as the only consent mechanism in operation, are:
– Professor Ross Anderson, an information security specialist
– The MedConfidential campaign
The fact that GPs and their national body are concerned is especially significant. You might think that, as the current holders of the records in question, and as parties to the confidential relationship between an individual and their doctor, GPs would be able to exercise control over their release. But the legislation enabling care.data includes provision for the NHS to require GPs to provide the data, simply stating that doing so “does not breach any obligation of confidence owed by the person providing it”. It’s easy for them to say that – I’d beg to differ. Doctors’ role as a data controller has its own legal consequences, and there’s a distinct possibility that EU Data Protection law is heading in a direction that will bring it into direct conflict with care.data. Recall, also, the point I made earlier about DNA records and their privacy impact on your siblings and offspring. The NHS privacy impact assessment, incidentally, does not mention DNA.
Nor is the opt-out explained in specific detail in the material sent to households. The NHS leaflet contains the URLs of two pages, neither of which explains what opt-out codes will protect which items of data. The exercise of translating your “I would like to opt out, please” into specifics is left to the staff at your GP’s practice. And as Ross Anderson’s blog points out: opting out of the care.data upload is not the same as having opted out of the “Summary Care Record” scheme – despite ministerial assurances to the contrary at the time.
But it gets worse. The GP’s magazine, Pulse, is reported as saying that the data of “opted-out” patients will still be added to the database, but with the information “stripped of identifiers”. In other words, it is quite possible that the “opt out” is nothing of the sort. The HSCIC’s own website does little to clarify things; here’s the guidance it offers to GPs. As you will see, for any category of data whose extraction might be qualified or circumscribed in some way, there is another clause that permits or requires its extraction. I’ve read the text a few times, and can’t identify any data that it conclusively bars from extraction.
By now, you probably understand why I was reluctant to embark on this post. If you’ve made it this far down the rant, I offer you congratulations which I hope will offset the gnawing anguish and rage you are quite likely to be experiencing. You should probably see a doctor about that… just don’t expect it to remain private.