Blog Author
Mike Barwise's blog 
05-11-2008 20:55
Should we agree to wider NHS data sharing?
So what's in this consultation paper? Once I had recovered from the adverse initial impression resulting from an animated NHS logo on every page of the document (yes, really - it jiggles about like a hula dancer on speed), I was quite impressed by the consultation document. Unlike many such consultations emanating from government departments, this one seems to be driven by a genuine desire to obtain the views of the public at large - the questions do not seem to be loaded. Whether the answers actually influence the ultimate decisions is of course another question we will have to wait until February next year to find out the answer to.
Various appoaches to data handling are described in the consultation paper. "Sealed envelopes" within the medical record of an identifiable person can hide certain information but will show that something is concealed. Alternatively the record can contain "Sealed and locked" information, the very existence of which is hidden. Anonymisation, which does not conceal the facts but attempts to remove personal identifying information from the factual record, supposedly breaks links between independent records for the same individual. A half-way house to anonymisation merely replaces the personal identity with an arbitrary token but otherwise keeps the whole of all records intact. The public is being asked to give their views of the pros and cons of these approaches. From my perspective, this is asking quite a lot. The issues are complex, even supposing the proposed systems themselves are robust.
One of the biggest concerns will be the robustness of the processes - something our government is not particularly good at getting right to date. Informed consent and opt-out are also likely to be bones of contention. Will the "seals" and "locks" remain intact under all circumstances, and if not, who has control? Ultimately, the question "who owns your medical records?" has not yet been satisfactorily answered, and until it has there will always be legitimate concerns about their use in other than a purely therapeutic context.
Until there are clear undertakings that no more than the necessary information will be abstracted from the record for any given purpose, that its confidentiality will be protected, and there is clear evidence that such undertakings are being fulfilled consistently, we should worry. The very same considerations went by the board in the infamous HMRC incident - a data set containing massive amounts of redundant sensitive information was mishandled and leaked - for no other reason than departmental cost-cutting. So in this case, I firmly believe the time is not right for increased information sharing, however it is implemented - simply because the government and its contractors have proved themselves both incompetent at data security and uncaring as to the repercussions of their incompetence. They may get their act together - we must hope so - but until they do, can we really afford to acquiesce to increased circulation of our sensitive medical records? I say "No" emphatically - "not on your life!" - it just might be.
Permalink:
http://www.infosecurityadviser.com/view_message?id=82
Delicious
Digg
Reddit
Facebook
StumbleUponComments:
the control was not there.
But probably this has changed by now......
While working in local goverment in a support role, few years ago, I was invited to consider a roll out of a test implementation of a patient data sharing application, already active in some other local authorities. When I ask for the minimun password lenght
I would like to repeat my observation that this consultation does not seem to be so "preloaded" to desired results as others I have participated in. Nevertheless I would say the issues, although possibly clear to those who have worked within the NHS (and I am also one such), are likely to be far from clear to ordinary people in the street who have never been told explicitly what gets done already with their medical records or what is currently planned. As a result, most of the public responses are likely to be driven by "gut feeling", simply because we have not been given all the facts.
I would also say the analogy of HMRC is highly relevant. In February this year the medical journal Pulse reported that several thousand NHS Connecting for Health access cards had "gone missing" and that "In almost every case, lost or stolen smartcards were reissued automatically without investigation..." and other sources have disclosed that the cards are apparently issued with a standard default PIN which might not get changed. In both the HMRC and NHS cases, the failure is not in policy but in implementation. And with hundreds of thousands of authorised users within the NHS and potentially thousands more outside it if this consultation results in widened access, who could possibly ensure that policy will always be adhered to?
Data leakage is however, only one of the exposures. Rather more worrying is the well-recognised process of "function creep" such as has been demonstrated in the case of the Regulation of Investigatory Powers Act. The surveillance clauses of RIPA, originally designed to combat terrorism and organised crime, have latterly been invoked by local councils in cases relating to school catchment areas and dog fouling. By analogy, let us suppose that at some point in the future it becomes "convenient" for mental health records about children to be disclosable to schools. There have already been ministerial proposals (which I assume must be taken seriously) to brand some children as young as five as "potential offenders" - where might this stop? "Gattaca" combined with "Minority Report" could be a mild scenario by comparison. Please note these comments are designed to provoke controversy - we need controversy about this subject in order to bring the facts into the public arena.
Interesting. Happily, I seem to have avoided the version with the animated graphic. Before you get too enthusiastic about the Department of Health's open door policy, you might want to take into account that NHS Connecting for Health has been working in all these areas for several years. But that doesn't, of course, mean that the organization doesn't have a genuine desire for consultation. That said, I don't think the community is being asked to consider the pros and cons of these approaches in general, only whether they would be happy with specific approaches being used in a particular scenario, with no commitment to change that use, or even reference to the fact that some of these are actual, current scenarios, not purely hypothetical future possibilities. The issues don't seem to be particularly complex to me, but then I did work in that environment for a while.
I cannot disagree that there have to be concerns about the robustness of the procedures, especially given the patchy success rate of National Programme deliverables over the past few years. The situation isn't altogether comparable to the HMRC incident, though. Many of the transactions posited here run in an environment which may not be perfectly secure, but is pretty paranoid...
That said, while I'm not sure that all the data leakage of the past few years can be laid directly at the door of the party in power (or, more to the point, that another party would do much better), I do think there are fundamental problems with the governmental urge to "transfer risk" by outsourcing. As I've discussed elsewhere in the past few days, outsourcing is not the same as transferring risk, and I'm not sure that I want the people who govern me to look upon risk transfer as an automatically acceptable alternative to risk mitigation.