Picture: Flickr / Community Eye Health. Some rights reserved.
The government’s announcement today that private companies are to be given access to patient data for the princely sum of £1, is just the latest attack on the principles of patient confidentiality in the interests of commerce.
David Cameron signalled the intent back in 2011 when he announced that we are all to be research patients by default. Behind the window-dressing of scientific progress, lies a determined new policy on ‘open data’ which is about using your data – including your medical records held by the NHS – in order “to drive economic growth”. Under the new regime, your sensitive health information will be taken directly from your GP’s record system and presumed available for a variety of “secondary uses” that go beyond research or your direct medical care.
To enable this, the NHS Constitution has been rewritten and fundamental assumptions such as medical confidentiality are being overturned. In private, officials admit the end state of all this is unclear, but the public language about what is happening to your confidential medical records is carefully chosen to obfuscate and pacify.
One of the more misleading half-truths you will hear is that your data will be ‘anonymised’. Quite aside from the fact that NHS England applied for and has now been granted exemptions by the Secretary of State to process and pass around patient data in identifiable form, the ‘anonymising’ of data to avoid the rules which would otherwise apply to personal data does not guarantee privacy.
Truly anonymous data cannot be linked or matched to particular individuals. It requires statistical techniques like removing small number counts, adding ‘noise’ or perturbing aggregate data – to minimise the chance that particular individuals can be identified.
The ‘anonymisation’ proposed for your medical information is nothing like this. What in fact will be done is pseudonymisation – substituting identifiers such as your NHS number with less identifiable numbers or removing obvious identifiers such as name or address.
This means - along with the cross-matching of data from different sources - means that it will not be hard to apply clever statistical techniques for private companies to obtain data on identifiable individual patients. There has even been a suggestion that the NHS would provide this service for companies itself, for a token fee.
Even if this doesn’t happen, a lifelong aggregation of episodes, diagnoses and prescriptions, even if not in themselves rare or unusual, provides a wealth of reference points. Filtered by age, gender or geographical area it is surprising how few of these are necessary to pinpoint an individual. The task is made even easier when data is made linkable to other information gathered in other contexts in a patient’s life. And that is exactly what will happen: ultimately, each person’s social care records will join with their health records in one single, central repository.
As the marketing industry and researchers know, the value of your data lies in being able to make matches; truly anonymous data that cannot be linked is nowhere near as useful or exploitable.
Consent means giving your permission. In order to be valid, consent needs to be properly informed and freely given by a competent individual; patients need to know the intended use of their medical information and be able to choose to participate or not.
Most people would agree with the notion of ‘presumed consent’ in the context of their medical treatment. When going to a doctor or hospital, you expect that your information will be shared with other health professionals responsible for your direct care. But this “consent deal” – based in the trust people have in their doctors and the NHS – has been stretched to encompass a whole range of other uses, many of which are obscure or completely unknown to patients.
Dame Fiona Caldicott’s recent Information Governance Review refused to support the proposition that - because patients are presumed to trust their own doctor with their medical data - they should be presumed to trust commissioners, too.
Purposes such as medical research – for which most people are happy for their information to be used, so long as they are asked – are being conflated with uses such as patient-level tracking and monitoring, business planning and contract management. The drive to commodify medical records means the default is to make them accessible to more and more people less and less directly related to your medical care, constrained not by the professional duty of confidentiality that most patients presume but only by data protection compliance or contract terms and conditions.
The word ‘sharing’ has become a euphemism for the systematic extraction, processing and disclosure of vast amounts of deeply personal information. Taking something without consent is not sharing. Passing legislation to override doctors’ duty of confidence may make a practice lawful; however it does not legitimise it.
Explicit consent has been replaced by an assumed consent, with opt-outs about which minimal information is provided to patients. This is not informed consent. Worse still, despite promises that patients who have already opted out will have their wishes respected, new initiatives such as care.data a monthly upload of identifiable data from millions of patients’ GP-held records – mean that hundreds of thousands of people who have already acted to protect the confidentiality of their medical records will be forced to opt out all over again. Assuming, of course, they are even made aware of what is happening.
The arbitrary resetting of people’s ‘privacy settings’ is a behaviour one might expect of Facebook, not the NHS, and it speaks to a deeper erosion of trust. If patients cannot trust that what they say to their doctor will be kept in confidence, some will withhold information – putting not only their own health but the public health at risk.
Like this piece? Please donate to OurNHS here to help keep us producing the NHS stories that matter. Thank you.