BBC medical records story

[M Taylor]

On Wed, Mar 06, 2002 at 03:50:21PM +0000, Ross Anderson wrote:
> 
> `Need-to-know' is a catastrophic error. it is absolutely the wrong
> model for medical records. Privacy is based on patients' rights,
> flowing from the European Convention of Human Rights through the Data
> protection Directive. It is the patient who makes the access control
> decisions, not Sir Humphrey. However, the phrase `need-to-know'
> encapsulates the idea that a civil servant who decides that he needs

Thank you for that warning that civil servants want to self-authorize
themselves under the banner of "need-to-known". I was thinking more
like the military intelligence system, where you don't need to know
unless the data subject is sitting front of you, and even then only 
if it has been approved by the data owner (which in this case I take 
to be the patient, a contary view compared to some NHS-IA group think).

I believe that approach does fall into acceptable medical ethics.

> >  c) consider Brands or Chum blinding to create secure "aliases" for
> >     all NHS patients, and treating the medical records of every patient as 
> >     if they were a VIP.
> 
> Nice in theory but I don't think pseudonyms will work all that well in
> practice in this application. Many NHS records used to be
> `de-identified' down to postcode plus date of birth, and
> re-identifying them was so easy that in practice they worked like
> fully identified records. Technical anonymity is much harder than you
> think, and in an application like medicine where records contain many
> facts about individuals, a pseudonym alone is not enough.

I was thinking of multiple pseudonyms (i.e. one of GP, one for cancer 
treatment, one for STD clinic tests, etc.), but I suspect the necessary
inter-linkage would break down.

M Taylor