(Fwd) R.I.P. and NHSNet

Roland Perry roland at linx.net
Mon, 31 Jul 2000 20:03:18 +0100 

In article <200007311630.RAA14796@mps2.leeds.ac.uk>, M.Wells@leeds.ac.uk
writes
>Thinking about the RIP Act, confidentiality of medical records if
>transfered electronically and NHSNet, could someone enlighten me?
>
>Does the Act refer only to the Internet or does it apply also to
>intranets?

It applies, generally speaking, to all Communications Service Providers,
of which NHSNet would seem to be a typical example of a (probably)
private CSP.

>Is NHSNet an internet service provider? or is it an intranet?

Doesn't matter, it's a *Communications* service provider.

>If it *is* an intranet, is encrypted email, carrying confidential
>patient information, travelling between two NHSNet addresses subject to
>the same police  investigatory procedures as encrypted email travelling
>across the internet?

Stage 1: Intercepting the email within your premises: 

Probably not. It seems to me to be likely that it would be classified as
a Private CSP, and as such would not be liable to install a permanent
interception capability, although you could be asked to do ad-hoc
interceptions. Take independent legal advice about this though.

Stage 2: Intercepting the email outside your premises:

You are likely to be using leased lines and other infrastructure
obtained from a Public CSP (such as BT, C&W etc). They can be obliged to
intercept your communications. But only subject to strict rules that
would, for example, require the Home Secretary to be convinced that
there was a serious crime being investigated where no other means was
proportionate.

Stage 3: Decrypting the intercepted emails:

Again, only on the signature of the Home Secretary, having already
signed to get the encrypted emails. 

Decryption of records-in-transit is the reddest of herrings. Ask
yourself why the police would want the records if kept on bits of paper
stuffed in a tatty brown envelope.

>To preserve a possibility of patient confidentiality, are we going to
>have to foreswear email?

Only if you believe that the content of those encrypted emails form an
essential part of a conspiracy involved in serious crime.

Why might patient records be required in situations you disapprove of,
when investigating serious crime? Would the NHS voluntarily hand over
records about Dr Shipman's patients, or would they have to be compelled
to, by law? [What actually happened in that case, by the way. I think it
would help our understanding of what patient confidentially really
means. Or are people no longer patients after they are dead - it's
rather difficult for them to give consent, after all.]
-- 
Roland Perry