(Fwd) R.I.P. and NHSNet

[Ben Laurie]

Mary Hawking wrote:
> 
> In message <000001bffb10$a6c8f6e0$eb65fea9@mycomputer>, Dr Alan Hassey
> <alan.hassey@btinternet.com> writes
> 
> >Mike
> >The NHS Encryption Programme Board will have to reconsider the use of
> >encryption in the light of RIP. As far as I can tell, NHSnet is the same as
> >the internet for legal purposes. The law may require NHS professionals to
> >provide clear text of encrypted messages (initially path results) & even
> >keys in the same way as for ISPs. NHS data is not to be treated as a special
> >case to the best of my knowledge. I've got some background reading to do on
> >all this & may be able to report further later...
> >
> >Mary's concerns are mostly justified, but she does need to remember that
> >doctors do not have an absolute duty of confidence & never have enjoyed the
> >same privileged client relationship that solicitors do. We always could be
> >compelled to disclose confidential information or risk a contempt charge.
> 
> I appreciate that - but this used to require a court order - and only
> apply to one individual...
> My understanding of the R.I.P legislation is that it is aimed at
> obtaining access to *all* the email addresssed to or sent by an
> individual. If this is the case, having Al Capone as a patient could
> comprimise the confidentiality of the other 2499 patients on the
> list....

That is not actually the deal - although RIP can potentiually target all
email to/from someone, it can also target indidual mails (or files).

> > I
> >am not sure how we stand on disclosing to a patient that a request for
> >access to "their" records has been made....
> 
> You can't - 2 years in jail for not disclosing the key - and *5* years
> for telling anyone else that you've been asked!

Only if a gagging order is applied.

> > Each EDI message (initially at
> >least) will contain multiple EDI transfers - potentially hundreds - for
> >incorporation into individual EPRs. Disclosure of the the clear text EDI
> >message will therefore be a breach of confidentiality for many patients at a
> >time.
> >
> >For now the - message must be informed consent... Tell patients what's
> >happening & talk to your medical defence society if any of the security
> >agencies ask for clear text transcripts of EDI messages.
> 
> Is anyone frrom the GPC or BMA on this list?
> 
> >
> >As for later - patient-held records look increasingly sensible
> >
> >Hope this helps...
> 
> Alan, I'm not on the ukcrypto list: if this doesn't get on, could you
> copy it and tell me whether I could join - and if so, how?

It did, but I can't remember how you join, I'm afraid...

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

Coming to ApacheCon Europe 2000? http://apachecon.com/