BBC medical records story

[Ross Anderson]

> It would have the public image of the public controlling their own 
> data, but in fact I suspect that a national central DoH/NHS database 
> would emerge as being more practical and the smartcard would be a 
> facade of privacy.

Worse than that - in places where medical smartcards have been done,
like in Hanover, you got massive centralisation of data - records move
from surgeries to health authorities. Needed for compatibility, old
chap, and you didn't seriously expect us to put card personalisation
equipment in every surgery, did you?

Also, information systems generally promote the interest of the man with
the chequebook, and if the NHS Executive pays for a smartcard system you
can bet your balls it will serve their agenda of centralising records.

> a) a portable data format for health records

Be very careful about the costs and benefits of various levels of
compatability. If you want total compatability, the price may be total
centralisation, or a single supplier, or ossified data formats

>  b) a decentrized network of patient databases, securely access via NHSnet,
>     administered and audited at the regional level with only traditional
>     "need-to-know" access to all records

For the above reason, it's not going to happen. GP systems worked fine
so long as GPs paid for them: the developers did what GPs wanted. Now
that the DoH is picking up most of the bill, their agenda has taken
over and is crowding out the development effort.

`Need-to-know' is a catastrophic error. it is absolutely the wrong
model for medical records. Privacy is based on patients' rights,
flowing from the European Convention of Human Rights through the Data
protection Directive. It is the patient who makes the access control
decisions, not Sir Humphrey. However, the phrase `need-to-know'
encapsulates the idea that a civil servant who decides that he needs
to know something can just help himself. This is wrong in law, it is
contrary to medical ethics, and by using Whitehall's propaganda
phrase you give away most of the battle. It leads naturally to a
system of protection based on confidentiality (secrecy for the 
benefit of the organisation) rather than privacy (secrecy for the
benefit of the data subject), and that in turn leads to protection
based on levels of classification, centralised administration and
all sorts of other bad things.

>  c) consider Brands or Chum blinding to create secure "aliases" for
>     all NHS patients, and treating the medical records of every patient as 
>     if they were a VIP.

Nice in theory but I don't think pseudonyms will work all that well in
practice in this application. Many NHS records used to be
`de-identified' down to postcode plus date of birth, and
re-identifying them was so easy that in practice they worked like
fully identified records. Technical anonymity is much harder than you
think, and in an application like medicine where records contain many
facts about individuals, a pseudonym alone is not enough.

>  d) a public consultation of public and expert opinion on data mining of
>     NHS records with and without express premission of the patient for 
>     research, searching for "warning signs", and access to 3rd-parties (i.e.
>     drug companies). I think the current thinking from DoH seems to be
>     that data is "state-owned" rather than "taxpayer-owned".

They are faffing around right now setting up committees of people to
help implement the latest health act, with all its data grabbing
provisions. It's quite predictable that these consultation bodies will
be stuffed with amenable people - DoH civil servants, medical
professors who want access to records for research without the hasssle
of asking all those stroppy smelly nasty patients, etc.

I'm afraid that the pass already got sold when the Lords let the
health bill through

Ross