, , , , , , , ,

The Guardian and several blogs I’ve been reading over the weeks have been flapping over an alleged scheme in which NHS England is about to sell patient records to private companies. Of course it’s very worrying if it’s true, but is it? The soundbites from privacy campaign directors are often factually wrong (they just are) and therefore unreliable, and the official literature targeted at patients isn’t telling people what they need to know.

A lot of fuss could have been averted if NHS England had simply posted the ‘Technical Specification of the GP Extract‘ document through peoples’ doors instead of the ‘Better information means better care‘ leaflet, or better still, asked for peoples’ consent beforehand. In short, the media, for lack of decent journalism, haven’t distinguished between the information being uploaded and the information actually being retained and supplied to external organisations by the Health and Social Care Information Centre (HSCIC).

First, the information that won’t be uploaded are: patient names, addresses, ‘free text’ and any records made before 1st April 2013. What would be uploaded by your local friendly GP are date of birth, post code, NHS number and gender, and the data will be sorted into the following categories:
* Demographics
* Events (from what source?)
* Referrals
* Prescriptions

So my understanding is that the only stuff not being uploaded to the database are GPs’ notes and any records made prior to April 2013. What happens after that lies in the HSCIC’s definition of pseudonymity. The following is how they intend to process the data after the GP ‘extractions’ have been added to the ‘Primary Care Dataset’:

(Data Management Environment, Technical Specification of the GP Extract)

(Data Management Environment, Technical Specification of the GP Extract)

The next several pages describe the ‘linkage’ and processing of the data from the Primary Care Dataset. Here the identifiable information is only used in the early stages of processing, so that data on individuals is correctly aggregated and tagged with ‘HES ID’ identifiers. Following that, the Primary Care Dataset and the identifying information is destroyed, so what the HSCIC is left with is aggregated pseudonymous data that can’t be attributed to any given person. Anyone outside the health service sees only aggregated data, or statistics.

Or perhaps not. The Data Linkage and Extract Service page on the HSCIC site appears to contradict this, stating that confidential and identifiable information, such as political views, sexual life and mental condition, could indeed be supplied to third-parties under certain conditions where the patient has not given his/her consent. For example, under section 251 ‘where it was not possible to use anonymised information and where seeking consent was not practical’. Opting out might be a good idea for some people.

Another page in the technical guide shows roughly what data is (or should be) going to which entities:

(care.data Feeds for Release 1, Technical Specification of the GP Extract)

(care.data Feeds for Release 1, Technical Specification of the GP Extract)

Nowhere in the technical specification or the Customer Requirement Summary does it state personally identifiable information would be sold to private entities outside the healthcare field, but still the scope seems broad enough for any interpretation. It’s conceivable that insurance companies would use the published data to jack up their prices based on the demographics, but they pretty much do this anyway.

Security concerns
Is it possible that identifiable confidential information would end up in the wrong hands? Short answer: yes. We’ve all read about some healthcare professional losing the odd USB drive or laptop with patient records, and uploading that information GPs and hospitals to one place, on a routine basis for the ‘Primary Care Dataset’, is a disaster waiting to happen. It really is.

Even if the information is anonymised at some point by the HSCIC, it’s the initial upload itself that’s quite possibly breaching doctor/patient confidentiality (which would cease to exist after disclosure) and the Data Protection Act that are designed to be our safeguards against the misuse of personal information.