Time for some truth about who is feeding off our NHS data

Mar 06, 2014 by Eerke Boiten
Good grief. Have you checked out the small print on this care.data deal? Credit: Machine Project, CC BY-SA

The UK government has decided to hold off on plans to upload GP records onto a central database for six months. But it may have to drop the plan permanently unless it can provide satisfactory answers to the uncomfortable questions that have been raised about the types of organisations already getting access to health information.

The official motivation for the delay to care. is the indisputable lack of awareness among the public about their records being involved in the scheme and how they can opt out. The Department of Health and the NHS are stubbornly sticking to the line that a better publicity campaign will iron out all problems.

This is not the view elsewhere though. Anxiety about how the care.data scheme is being run is spreading. Serious questions are being asked by MPs from all parties in an ongoing series of special debates at Westminster. Worryingly, ministers appear to have been badly briefed for these, making a number of incorrect statements about past and future sharing of health records with third parties.

Few people are questioning the health and research benefits of sharing but serious concerns continue over how the is managed and what security and safeguards will be in place.

The furore around care.data has exposed the fact that some NHS data is already being shared with third parties, and has been for some time. Care.data may not actually be up and running but a host of organisations, from universities to data analytics companies to insurance firms are already getting access to the Hospital Episode Statistics (HES) database. The link is unsurprising – the core of care.data is HES with GP data merged into it, and HSCIC manages both. The public is now seeing what third parties are already doing with HES, and they don't like it, which is bad news for care.data.

Who's getting our data?

It seems that data analytics companies have had access to sensitive information through perfectly legitimate means. A company called PA Consulting turned out to have collaborated with NHS England, using a tool called Qlikview and Google's Big Query to produce a "cloud" version of the HES database.

Google does not have cloud servers resident in the UK, so this means the UK health database was likely copied to servers in the US. This is potentially problematic in terms of the Data Protection Act. Official advice from the Information Commissioner's Office about sending data out of the country is available but it is currently unclear whether this advice was properly followed.

Either way, revelations about mass surveillance mean that people are right to feel jittery about information ending up on Google servers, whether the letter of the law has been followed are not.

Then, there is a consultancy firm called Beacon Dodsworth, which says it can use HES records to help companies with their social marketing campaigns, although HSCIC now states that this company only ever received anonymous aggregated data.

Reassurance on insurance?

Next come the insurance companies. HSCIC has repeatedly stated that using care.data information for insurance purposes would be prohibited or illegal but it turns out that HES has been used exactly for that.

Partially anonymised HES data has been used to establish more accurate actuarial estimates for insurance purposes by the Staple Inn Actuarial Society in a report called Extending the Critical Path.

There were fears that this data was not all that anonymised. Socio-economic classification information had been merged into it, which would not have been possible at the claimed level of anonymisation. It eventually became clear that the extra information had been added by HSCIC before the data was sold to the SIAS. But it would still have been possible for the SIAS to obtain enough information to re-identify many of the people in the HES database should it have wanted to, having paid only around £20,000 for the privilege.

Altogether, it is now clear that a wide spectrum of commercial companies appear to have had some association with HES data and are using it in ways that do not provide any obvious health benefits and barely acknowledge – until the bad PR starts flowing – that it's our confidential medical data they are dealing with.

How do they decide who to share with?

In response to these reports, there has been demand from MPs like Conservative GP Sarah Wollaston and others for HSCIC to come clean about its data sharing arrangements. We already know that advisory groups DAAG and CAG take the decisions about sharing sensitive or identifiable confidential personal data, and they keep registers of past applications for access.

However, applications to access data that is considered "anonymous" are handled internally by HSCIC, which is, for many, not a transparent state of affairs, particularly since HSCIC has its own definition of anonymity that includes non-anonymous data if suitable controls are in place. That essentially means that any data could potentially be shared through this route, whether anonymous or not.

Concerns that HSCIC has the power to just make up the rules as it goes along led to a Freedom of Information request from Phil Booth of MedConfidential. HSCIC's response confirmed they had such discretion. In the enduring absence of any Code of Practice for HSCIC (required according to the 2012 Health and Social Care Act) how can we argue with that?

Even more worryingly, HSCIC said in the FoI response that it is "unable to state whether any organisations we have provided data to are providers of insurance since this is not a question asked when an application is submitted".

So HSCIC asks an organisation what it intends to do with the data and then just stops asking questions after that. Then if a company provides medical services, it can apply to access data, and if it also just so happens to provide insurance services too, it doesn't actually have to alert HSCIC of a need to regulate and monitor against possible sharing within the business. This is quite a naive stance for HSCIC to have.

All in all, we badly need HSCIC to come clean about past and future sharing, through a register and a code of practice. For full reassurance on care.data, further legislation on sharing may be unavoidable.

Explore further: The new technologies needed for dealing with big data

add to favorites email to friend print save as pdf

Related Stories

The new technologies needed for dealing with big data

Feb 20, 2014

While much focus and discussion of the so-called "Big Data revolution" has been on the data itself and the exciting new applications it is enabling—from Google's self-driving cars through to CSIRO and University ...

Recommended for you

Google made failed bid for Spotify

2 hours ago

Internet titan Google tried last year to buy streaming music service Spotify but backed off for reasons including a whopping price tag, the Wall Street Journal reported on Tuesday.

Thieves got into 1K StubHub accounts

3 hours ago

(AP)—Cyber thieves got into more than 1,000 StubHub customers' accounts and fraudulently bought tickets for events through the online ticket reseller, a law enforcement official and the company said Tuesday.

Putin signs law seen as crimping social media

15 hours ago

President Vladimir Putin on Tuesday signed a law requiring Internet companies to store all personal data of Russian users at data centres in Russia, a move which could chill criticism on foreign social networking ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

btb101
not rated yet Mar 06, 2014
so who can i contact to make sure my personal data has not become public and who can i prosecute if it has?