Surprising High Court ruling on privacy

[Ross Anderson]

this list has from time to time touched on medical privacy, especially
in the context of GCHQ's determination to prevent encryption on the
NHS wide network or at least impose escrow.

Recently there has been an extremely surprising judgment in the High
Court, which may end up having the opposite effect to that which
appears to have been intended by a no doubt well meaning judge:


 >http://www.rpsgb.org.uk/55.htm
 >
 >Prescription data sale ruled unlawful
 >
 >The [English] High Court has ruled that pharmacists cannot lawfully
 >sell anonymous prescription data because to do so involves breaching
 >patient confidentiality even though no-one can be identified.


In the UK, unline the USA, most of the objectionable secondary uses of
personal health information are in the public rather than the private
sector. Private health informatics firms have for several years had to
abide by professional sensibilities and de-identify data properly
before using it for any purposes outside immediate health care; if
they don't, then associations such as the BMA will simply tell their
members not to supply the information.

The current court case amounted to an attempt by central government
to wrest this control away from the professions, and unfortunately it
seems to have succeeded.

The Department of Health has an appalling record on privacy. Readers
may recall that Whitehall bureaucrats have a database called HES
(Hospital Episode Statistics) which contains summary records of all
hospital treatment - diagnostic and treatment codes, costs and
outcomes. For years, this information was claimed to be anonymous.
But I found out in 1996 that patients are identified on it by postcode
and date of birth - a combination which identifies about 98% of UK
residents. Given that HES by its nature contains most really sensitive
medical facts - such as all lawful terminations of pregnancy and most
treatment for HIV infection - this was extremely disturbing.

There was a big public row, which had two main outcomes. Firstly, the
government set up a committee headed by Dame Fiona Caldicott to look
into data flows in the National Health Service. Secondly, the BMA
reached an agreement with private sector healthcare informatics firms
that data would be de-identified properly; for example, instead of
postcode plus date of birth, records should be identified by postcode
sector, year of birth and a provider-specific pseudonym. Most of the
private sector firms were already following good practice; the
agreement consolidated this and opened the possibility of firms
getting BMA `approval' for properly designed and operated systems.

The Caldicott committee turned out to be a disappointment. It had been
advertised as a neutral body of experts, but developed rapidly into a
typical government whitewash.  It contained neither a lawyer, nor an
expert on computer security; it ended up approving the current state
of affairs, including some data flows that clearly contravene the
criminal law. What it did do was to get the issue off the agenda from
late 1996 until after the last election.

But the private sector side of things seemed to developing fine. Firms
started to develop all sorts of new health management services,
including the system that was the subject of the recent litigation.
The company that designed it, IMS, sought approval from the BMA's
General Practice Committee who asked me to evaluate it. I looked at it
on a number of occasions in 1997-8 as it was developed and eventually
after they fixed all the flaws I could find, it got approved.

The Department of Health's action in seeking to ban it is
unsurprising. They are on the defensive against the argument that
`Well, Health Secretary, you claim that you need identifiable records
of all hospital care episodes and all pharmacy prescriptions in order
to manage the health service; but private sector firms can supply all
the information which you claim to extract using de-identified data
and systems which are approved by the medics'.

The judge's action in supporting them is yet another argument for
replacing the mandatory Latin courses in law degrees by mandatory
computer science courses. It is likely to remove one of the more
significant pressures on the civil service for a more ethical approach
to personal health information, and by knocking the private sector out
of much of the business it will mean that much health care management
will in the future be done with easily identifiable data. The demise
of private sector competition will untilamtely mean that anybody who
wants such data will have to buy it from the NHS Executive, so in
addition to the erosion of privacy, an industry will in effect have
been privatised without compensation.

List members (with the possible exception of Nigel) will no doubt hope
that IMS manages to win the appeal.

URLs: the story of the 1996 conflict between the BMA and the DoH on
de-identification of medical data, which led to Caldicott, is at:

http://www.cl.cam.ac.uk/users/rja14/bmaupdate/bmaupdate.html

The Caldicott Report itself is at:

http://www.imt4nhs.exec.nhs.uk/general/caldico/index.htm

Some of the more obvious mistakes in Caldicott are described at:

http://www.cl.cam.ac.uk/~rja14/caldicott/caldicott.html

The security mechanisms in the IMS system are described in `Protecting
the identity of doctors in drug prescription analysis', V Matyas,
Health Informatics Journal v 4 no 3-4 (Dec 98) pp 205--2091,

Ross