Targeted junkmail "from" your GP?
Peter Fairbrother
ukcrypto at chiark.greenend.org.uk
Mon, 30 Jun 2008 17:11:49 +0100
Brian Gladman wrote:
>
> ----- Original Message ----- From: "Peter Fairbrother"
> <zenadsl6186@zen.co.uk>
> To: <ukcrypto@chiark.greenend.org.uk>
> Sent: Monday, June 30, 2008 1:59 AM
> Subject: Re: Targeted junkmail "from" your GP?
>
>
>> Ben Laurie wrote:
>>> Wendy M. Grossman wrote:
>>>> Roland Perry wrote:
>>>>
>>>>> I have no idea what they are proposing to do, but in principle it
>>>>> would be relatively straightforward for them to have anonymised
>>>>> patient records, and then send a message back to the NHS saying
>>>>> "please forward the following invitation to patient number XYZ",
>>>>> where only the NHS/PCT etc knows that patient's name or address.
>>>>> They could even send the invite to the patient's GP, who could then
>>>>> call the patient in to discuss the issue.
>>>>
>>>> Research indicates that re-identifying supposedly anonymized records
>>>> is not all that difficult.
>>>
>>> That's a rather broad generalisation. What research shows is that you
>>> have to be very careful when you anonymise records - merely removing
>>> the name and address _may_ not be sufficient.
>>>
>>
>> This is a matter of opinion, but I'd go with Wendy.
>
> So do I.
>
> I have spent a fair amount of time researching how to implement
> inference controls on relational databases and it very often transpires
> that the effective prevention of inferences results in a database that
> is no longer capable of supporting its intended functions.
In my limited experience, it's _always_ that way.
This drives
> us back to procedural controls on data use and, as we know, these are
> pretty ineffective (in both the public and private sectors).
There may be a third way, though I'm not sure what to call it.
To give an example, suppose an AIDS trial. The researchers prepare a set
of criteria which is passed to GP's surgeries. Surgeries then run the
criteria against their records (they get paid for this BTW), and report
the number of results.
The results will be almost identical to those generated by a centralised
database survey, the difference being Surgeries who don't perform the
search - which would not be in the interest of their patients, so
probably not many losses here - plus the people who opt-out of a
centralised database. Overall I'd guess that the gains would far
outnumber the losses, especially after surgeries get used to running
searches.
Surgeries then write to any possible candidates (they get paid for this
too), and things go from there.
The difference is that the researchers do not get the names and
addresses or any other details of people who don't want to participate.
The payments for doing the search and for writing the first-contact
letter? These have to be done anyway, and the researcher has to pay for
them. It will be a little more expensive, but not much.
This might seem unwieldy, but as most if not all GPs use the same record
structure the remaining need is to teach surgeries to perform the
searches. This can be standardised quite easily, and if the surgeries
run a number ofsearches, eg every week, then it should become routine.
I'd suggest three categories of search - one mandatory, for NHS
administration purposes only, and all results must remain within the NHS
administration (unless they pass them on to the Police for investigation
of misconduct, Shipmanism, etc).
Second, mandated research. Surgeries must perform these searches. These
searches should be approved by the NHS, a privacy committee, and an
ethics committee.
Third, voluntary research. These searches should be approved by a
privacy committee and an ethics committee. Surgeries get paid extra for
running these searches.
The privacy committee should look at the results to be submitted - eg in
many cases it might be "we have 6 patients matching the criteria". Full
records should not be made available without patient consent.
Just some quick thoughts, not meant to be definitive but just to
demonstrate the kind of thing which is possible.
-- Peter Fairbrother