Important information for NHS patients in England

[TerriDowty]

In the next few weeks, information that you share with your GP will be
extracted from surgery records and stored on centralised NHS systems
with your identifying details still attached. From there, it will be
made available for administrative, research and other purposes. The
government has claimed that your records will be ‘anonymised’ before
they are handed over to anyone else, but this is not true. There are
several circumstances in which data that identifies patients will be
made available, including to administrators.

Once your information has been uploaded, neither you nor your GP will
have any control over who it is shared with, who has access or what is
done with it. You will not be consulted, nor will you be asked for
consent. Uploads will take place automatically every month.

When you next visit your GP, you may see a small poster headed ‘how
information about you helps us to provide better care’. This is how NHS
England is explaining its plans to you and it is misleading. It does not
give you full details of the information that will be collected - which
includes your date of birth, postcode, ethnicity and NHS number - and it claims that information will not identify you.

Further down the poster you will see the words ‘you have a choice’. What
this actually means is: if you do not want personal and confidential
information to be taken from your medical record every month, the onus
is on you to opt out of the scheme. If you don’t do so, it will be
assumed that you consent to the extraction.

You can download an opt-out letter to complete and send to your GP from the medConfidential website:
medconfidential.org/how-to-opt-out/

You will also find more detailed information about the scheme – known as ‘care.data’ – on the website: medconfidential.org

Please tell all of your friends, family and colleagues about this
scheme, or forward this information to them. It's very important that
everyone knows they must take action if they don’t want their
information to leave their GP’s surgery.

I assume it was no 2- but I don't want no 1 on the list either.

sorry- that should be the other way round.

That's the Summary Care Record.

You can check with your surgery whether one of those has already been set up for you. If it has and you're unhappy about it, IIUC you can opt out of having further data uploaded as they expand the scope. Either way, you will have to write a letter to your surgery declining consent for your data to be shared as a SCR.

If you want to opt out of the second database, care.data, you still have time, and that's the one the form I linked is for.

pausing I think your example is disingenuous, your username on here has lots of data which may make you identifiable, your medical records have only medical data. Unless you have a rare condition (and there are additional rules on sharing that), identifying you from medical records alone is nearly impossible

And date of birth, postcode and gender.

Plus "medical data" includes dates and places of treatments and hospital admissions (including everything to do with pregnancy and childbirth), family history, sometimes ethnicity, prescriptions...

It's hugely identifying.

I certainly don't put that much information on MN, and I also namechange.

MNHQ can aggregate my info because they have a single id number for me: that's a risk I choose to take. But ordinary MNers know me as multiple different ids that if I were less shit at remembering to NC they can't link.

Here's Ben Goldacre on re-identification from pseudonymised data without even having access to the name, full DoB or postcode:

"Here's one example: I had twins last year (it's great; it's also partly why I've been writing less). There are 12,000 dads with similar luck each year; let's say 2,000 in London; let's say 100 of those are aged 39. From my brief online bio you can work out that I moved from Oxford to London in about 1995. Congratulations: you've now uniquely identified my health record, without using my name, postcode, or anything "identifiable". Now you've found the rows of data that describe my contacts with health services, you can also find out if I have any medical problems that some might consider embarrassing: incontinence, perhaps, or mental health difficulties. Then you can use that information to try and smear me: a routine occurrence if you do the work I do, whether it's big drug companies, or dreary little quacks.

"This risk isn't necessarily big, but to say it doesn't exist is crass: it's false reassurance, which ultimately undermines trust, but it's also unnecessary, and counterproductive, like hiding information on side-effects instead of discussing them proportionately."

And that's something he wrote while still in favour of care.data, just a bit worried about it.

His next column begins:

"I am embarrassed. Last week I wrote in support of the government's plans to collect and share the medical records of all patients in the NHS, albeit with massive caveats."

And describes the HSCIC performance at select committee which tipped him into the No camp.

Playing devil's advocate, it could be argued that his bio online is the main culprit!

How else would they track one of 12000 men who became fathers to twins!

It's also a bit chicken and egg- you'd need to be looking for a 39 year old father of twins who moved from Oxford to London in the first place.

Not really.

It happens that his online bio is a particularly easy way to discover that small bit of info. But he's a doctor who publishes. There's likely to be info about him all over the internet which would give vague location like Oxford, then London c1995. That's before you add in people in RL contact personally or professionally.

And yes, it would be easier if you were specifically looking. But lots of people ARE looking.

In Goldacre's case, as he points out, he criticises the big pharma and woo industries. For us merer mortals, insurance companies are desperate to know this stuff. Prospective employers and banks in some instances do bonkers levels of investigation about people. There's a whole industry supplying "checks". This is only going to get worse as we move from nationalised insurance to private insurance for healthcare & income-replacement.

One of the things that shocked me during the phone-hacking scandal was an investigator saying on Newsnight "But it's ridiculous to stop journalists illegally blagging medical records and financial records and so on, when banks and lots of other organisations do it." They do? WTF?

Anyway, that's plain ol' victim blaming.

People are allowed to say they've moved from Oxford to London, and have twins, without it being a consequence that this will give unknown third parties access to their complete medical history.

It's not really victim -blaming.
If you write for the national press and choose to share your personal life - online and in print- then it's all out there. If you have chosen to do that then it's no one's fault but yours if that info is used.
That's not the same though as people having access to your medical records.

But you must surely know that if you have used a credit card or a store card - especially to shop online for groceries- that you are already profiled and your details being shared?

The amount of information that can be gleaned about anyone from their shopping habits is huge. The fact he may have nappies and baby stuff delivered to his home will tell any insurers or other companies a lot about him.

Oh and you only need to view someone on Linkedin to get a clear picture of their life!
Add all of this up and very little is secret.

I don't get your point?

Obviously anything you chose to publish you have put out there.

Equally obviously no one should have access to your medical records unless you have given them permission.

Selling intact medical records containing sufficient information that they can be identified to the subject merely by cross-checking them with normal, day to day information about the subject is clearly wrong.

It's not somehow the subject's fault that their normal, day to day information exists, or indeed that they're happy to actively share small parts of it. It's the fault of the people selling medical records that they are selling hugely detailed information that was only given to them in the first place under the condition they kept it confidential.

Sorry, substitute "wrongdoing" for "fault", as that was ambiguous.

I have read and re-read the piece you quoted and, maybe because it's out of context on the post and I should look on the link, I can't make sense of what he says ( and I'm not a stupid person!)

This is the quote..

"Here's one example: I had twins last year (it's great; it's also partly why I've been writing less). There are 12,000 dads with similar luck each year; let's say 2,000 in London; let's say 100 of those are aged 39. From my brief online bio you can work out that I moved from Oxford to London in about 1995. Congratulations: you've now uniquely identified my health record, without using my name, postcode, or anything "identifiable" . Now you've found the rows of data that describe my contacts with health services, you can also find out if I have any medical problems that some might consider embarrassing: incontinence, perhaps, or mental health difficulties. Then you can use that information to try and smear me: a routine occurrence if you do the work I do, whether it's big drug companies, or dreary little quacks.

What's behind this? How does the fact he is identified as one of 100 men aged 39 in London who had twins become to be known? Where is this info being accessed?

And how does his recent fatherhood mean all his health records are available?

Sorry- not being argumentative but something is missing from your example so it's doesn't mean anything ( to me.)

I think the point is that effective pseudonymisation is difficult to achieve, and without it, the anonymous use of our data is not something everyone feels comfortable with.

Some commitments were given when care.data was put on hold:

Begin collecting data from GP surgeries in the Autumn, instead of April, to allow more time to build understanding of the benefits of using the information, what safeguards are in place, and how people can opt out if they choose to;

Work with patients and professional groups – including the BMA, RCGP and Healthwatch – to develop additional practical steps to promote awareness with patients and the public, and ensure information is accessible and reaches all sections of the community, including people with disabilities;

Look into further measures that could be taken to build public confidence, in particular steps relating to scrutiny of ways in which the information will be used to benefit NHS patients;

I'm not aware that any of these things has happened - in July the BMA stated:

That this Meeting agrees that the care.data system should not continue in its present form as:-
i) it lacks confidentiality and there is a possibility for individual patient data to be identified;
ii) it carries the risk of GPs losing the trust of their patients who may feel constrained in confiding in them;
iii) the future potential users of the data are not well defined;
iv) it should be an opt-in system rather than an opt-out one;
v) the data should only be used for its stated purpose for improving patient care and not sold for profit.

The key things that care.data needs to get right is the de-identification of patients and clear, public scrutiny over the uses that the data gets put to.

OK, let's say someone happens to be looking for Ben Goldacre's medical records in particular.

They know from various publicly available sources that he's about 39, that he has twins, and that he used to live in Oxford and moved to London c1995.

They ask HSCIC for pseudonymised records for all fathers of twins born in the UK. (It would be perfectly reasonable to do a study on paternal factors affecting occurrence of twins.)

They get intact medical files, with just name, postcode and full DoB removed (but approx DoB remains because it's medical info).

When they get the data, they select all fathers born approx 1975.

Then they sub-select all fathers currently showing contacts with London hospitals or doctors.

They're now down to a small number of files. They go through looking for files which show previous contacts with Oxford hospitals or doctors.

If that yields more than one file, they narrow further by looking at the date when Oxford shifts to London.

By then they will probably be down to one file, say HSCIC id no 123ABC.

(And if not, they will keep looking for ways to differentiate till they do get it down to one - eg, one candidate asked for 6months' supply of malaria tablets in July 2002 but maybe Goldacre was doing talks in the UK all year; another candidate is a wheelchair user; and so on.)

Now they've identified that HSCIC id no 123ABC is Dr Ben Goldacre, they have his full medical record and they know it's his.

Of course it might be that HSCIC have started being more careful with data than before, and say, ah, but you don't need to know the locations of the hospitals for your study on twins, so we'll remove hospital name (if they even do that without huge hassle, which I doubt).

No worries.

Investigator asks for data for a separate, unrelated study on how men born c1975 use healthcare services. They choose 5 sample towns, Bristol, Birmingham, Sheffield... and Oxford and London. HSCIC decides to omit data about numbers of children because they're being careful, but merrily hands out the data about locations.

The investigator then cross-matches the new data to that for the "twins fathers study" - and HSCIC id no 123ABC is in both. And off down the track as before.

In fact, it would be possible to play battleships with all data sets once you had the HSCIC id no.

Ok- that's perfectly clear now.
what was unclear was that they already had medical records and were trying to find someone. I thought you were trying to say that the medical records could be found simply by using his details ( job, age, location, fatherhood) rather than finding him in records already obtained.

I can see the point of the Summary Care Record and won't be opting out of that (although I'm sure data will be lost, shared incorrectly etc.) but I will definitely be opting out of care.data. I do not want my private medical details sold on to the highest bidder. I'll be contacting my surgery tomorrow.