Targeted junkmail "from" your GP?

David Hansen ukcrypto at chiark.greenend.org.uk
Tue, 01 Jul 2008 09:09:38 +0100 

On 30 Jun 2008 at 17:11, Peter Fairbrother wrote:

> To give an example, suppose an AIDS trial. The researchers prepare a set 
> of criteria which is passed to GP's surgeries. Surgeries then run the 
> criteria against their records (they get paid for this BTW), and report 
> the number of results.
> 
> The results will be almost identical to those generated by a centralised 
> database survey, the difference being Surgeries who don't perform the 
> search - which would not be in the interest of their patients, so 
> probably not many losses here - plus the people who opt-out of a 
> centralised database. Overall I'd guess that the gains would far 
> outnumber the losses, especially after surgeries get used to running 
> searches.
> 
> 
> Surgeries then write to any possible candidates (they get paid for this 
> too), and things go from there.

I think this is the right approach, though details could be discussed 
in order to refine them. It is the sort of approach I was thinking of, 
though had not put into words.

> I'd suggest three categories of search - one mandatory, for NHS 
> administration purposes only, and all results must remain within the NHS 
> administration (unless they pass them on to the Police for investigation 
> of misconduct, Shipmanism, etc).

I think that this should be subject to some real regulation. It is not 
good enough for some official to think it is a good idea to scoop up 
say 25 million records and then put them on an unencrypted piece of 
plastic.
 
> Second, mandated research. Surgeries must perform these searches. These 
> searches should be approved by the NHS, a privacy committee, and an 
> ethics committee.
> 
> Third, voluntary research. These searches should be approved by a 
> privacy committee and an ethics committee. Surgeries get paid extra for 
> running these searches.

I'm not sure that such a distinction is useful. What sort of things 
were you thinking of putting into each category?

> The privacy committee should look at the results to be submitted - eg in 
> many cases it might be "we have 6 patients matching the criteria".

That is a very good point

> Full 
> records should not be made available without patient consent.

I can imagine the howls from the medical research mob about this.


-- 
  David Hansen, Edinburgh 
 I will *always* explain revoked encryption keys, unless RIP prevents 
me   
http://www.opsi.gov.uk/acts/acts2000/00023--e.htm#54