Targeted junkmail "from" your GP?

Peter Fairbrother ukcrypto at chiark.greenend.org.uk
Mon, 30 Jun 2008 18:29:54 +0100 

Peter Fairbrother wrote:
> Brian Gladman wrote:
>>
>> ----- Original Message ----- From: "Peter Fairbrother" 
>> <zenadsl6186@zen.co.uk>
>> To: <ukcrypto@chiark.greenend.org.uk>
>> Sent: Monday, June 30, 2008 1:59 AM
>> Subject: Re: Targeted junkmail "from" your GP?
>>
>>
>>> Ben Laurie wrote:
>>>> Wendy M. Grossman wrote:
>>>>> Roland Perry wrote:
>>>>>
>>>>>> I have no idea what they are proposing to do, but in principle it 
>>>>>> would be relatively straightforward for them to have anonymised 
>>>>>> patient records, and then send a message back to the NHS saying 
>>>>>> "please forward the following invitation to patient number XYZ", 
>>>>>> where only the NHS/PCT etc knows that patient's name or address. 
>>>>>> They could even send the invite to the patient's GP, who could 
>>>>>> then call the patient in to discuss the issue.
>>>>>
>>>>> Research indicates that re-identifying supposedly anonymized 
>>>>> records is not all that difficult.
>>>>
>>>> That's a rather broad generalisation. What research shows is that 
>>>> you have to be very careful when you anonymise records - merely 
>>>> removing the name and address _may_ not be sufficient.
>>>>
>>>
>>> This is a matter of opinion, but I'd go with Wendy.
>>
>> So do I.
>>
>> I have spent a fair amount of time researching how to implement 
>> inference controls on relational databases and it very often 
>> transpires that the effective prevention of inferences results in a 
>> database that is no longer capable of supporting its intended 
>> functions.   
> 
> In my limited experience, it's _always_ that way.
> 
> 
> This drives
>> us back to procedural controls on data use and, as we know, these are 
>> pretty ineffective (in both the public and private sectors).
> 
> There may be a third way, though I'm not sure what to call it.

On reflection, it's probably procedural as well - but it's about access 
to data, not permitted uses.

This is much more stringent - if you can't access data, you can't misuse it.

-- Peter Fairbrother


> 
> To give an example, suppose an AIDS trial. The researchers prepare a set 
> of criteria which is passed to GP's surgeries. Surgeries then run the 
> criteria against their records (they get paid for this BTW), and report 
> the number of results.
> 
> The results will be almost identical to those generated by a centralised 
> database survey, the difference being Surgeries who don't perform the 
> search - which would not be in the interest of their patients, so 
> probably not many losses here - plus the people who opt-out of a 
> centralised database. Overall I'd guess that the gains would far 
> outnumber the losses, especially after surgeries get used to running 
> searches.
> 
> 
> Surgeries then write to any possible candidates (they get paid for this 
> too), and things go from there.
> 
> The difference is that the researchers do not get the names and 
> addresses or any other details of people who don't want to participate. 
> The payments for doing the search and for writing the first-contact 
> letter? These have to be done anyway, and the researcher has to pay for 
> them. It will be a little more expensive, but not much.
> 
> 
> This might seem unwieldy, but as most if not all GPs use the same record 
> structure the remaining need is to teach surgeries to perform the 
> searches. This can be standardised quite easily, and if the surgeries 
> run a number ofsearches, eg every week, then it should become routine.
> 
> 
> 
> 
> I'd suggest three categories of search - one mandatory, for NHS 
> administration purposes only, and all results must remain within the NHS 
> administration (unless they pass them on to the Police for investigation 
> of misconduct, Shipmanism, etc).
> 
> Second, mandated research. Surgeries must perform these searches. These 
> searches should be approved by the NHS, a privacy committee, and an 
> ethics committee.
> 
> Third, voluntary research. These searches should be approved by a 
> privacy committee and an ethics committee. Surgeries get paid extra for 
> running these searches.
> 
> The privacy committee should look at the results to be submitted - eg in 
> many cases it might be "we have 6 patients matching the criteria". Full 
> records should not be made available without patient consent.
> 
> 
> Just some quick thoughts, not meant to be definitive but just to 
> demonstrate the kind of thing which is possible.
> 
> -- Peter Fairbrother
> 
>