Data Sharing Review

Michael Simpson ukcrypto at chiark.greenend.org.uk
Wed, 16 Jul 2008 12:04:37 +0100 

Hi Adrian

answers in-line

On 7/16/08, Adrian Midgley <amidgley2@defoam.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Michael Simpson wrote:
> > On 7/12/08, Mary Hawking <maryhawking@tigers.demon.co.uk> wrote:
> >> The report on data sharing commissioned from Dr Mark Walport (Welcome Trust)
> >> and Richard Thomas has been published: hardly surprisingly - seeing the
> >> interests of one of the authors - it is very keen to allow researchers full
> >> access to medical records - and seems to think that these will be held on a
> >> central database for the whole of England. I don't think there is the full
> >> support for making medical records available for research among the medical
> >> profession that is claimed.
> >>
> >
> > As a medic with an interest in developing an electronic patient
> > register i would be unhappy with the concept of any data sharing
> > without the specific consent of the patient being given *every* time
> > that their data is to be accessed by anyone.
>
>
> There are two definite problems there:-
>
> 1.  that when the patient is present they will almost always have some
> agenda, and substituting gaining consent to look at their records for
> their opening remarks is bad.
>

I agree however if the system was based on some sort of biometric
marker then it would become automatic.
When i see a patient for the first time then i have to ask their
permission to share their info with social work.
With a fair proportion of them they interprete this as "tell me about
your drug use so that i can tell social work to come and remove your
children"
I have become very good at reassuring people about how their data will
be used in this instance.

>
> 2.  It makes work when the patient is not there difficult - unless the
> consent is assumed to or explicitly extends on from when it was last
> given ...  This would render reviews of medicines and results and
> referrals difficult and taken to its extreme require a new solution to
> repeat prescriptions.
>

As part of the initial "data sharing" interview then patients can be
asked "if your records need to be accessed in an emergent situation
and you are unable to give permission at that time do you give your
consent for that to happen"
Having worked for years in A&E this would enable much more rapid
treatment for patients with a number of conditions, and it is these
patients that would be more than happy to sign up. Also patients on
interestingly lethal drugs would also consent quite quickly (yes
warfarin, i'm looking at you).

Once patients got used to putting thier finger into a reader (for
instance) prior to consultations with GPs, pharmacists, nursing staff,
SHOs (or whatever they are called these days) in hospital then it
would become routine very quickly.

It would also give them reassurance that they had control over their
information which is something that nobody has any assurance of at
present.

PKI with some sort of key escrow accessible by specific medics (senior
A&E docs) would enable this to happen and would reassure me that my
private records aren't going to be left on a laptop then being sold in
irc channels after some mandarin has a moment of forgetfulness in a
taxi or TNT loses another "encrypted" disk.

>
>
> I favour an absolute rule of all reading of the patient's notes being
> reported to them, quarterly or  monthly or by access to a web site at
> their will - whatever is suitable.  Like a phone bill or credit card.
>

cart <-horse
many of my patients are no fixed abode and are not yet part of the
information age wrt inet access
Social exclusion is the main acheivement of this area of Glasgow so
that wouldn't work.

> Each report should say who accessed what, what right they asserted, what
> purpose they declare and what they accessed.
>

I have worked for Big Pharma and would trust them as far as i could
throw the collective members of the board.
If i was approached by someone doing research to induct patients into
a trial or use details for a cohort then i would still rather gain
informed consent every time.


> Given (existing or required) logging of access this becomes a sizeable
> but not difficult task.
>
i agree with all access being logged anyway even (in fact especially)
after consent to create a decent audit trail.

a decent sized mySQL cluster should do it
:-)

> - --
> A
>

mike