Privacy and Safety
From Nhs It Info
NPfIT wins a Big Brother Award (Sep 2004)
The British Journal of Healthcare Computing & Information Management
http://www.bjhc.co.uk/news/1/2004/n40923.htm
"Human-rights watchdog Privacy International (PI) announced the winners of its Big Brother Awards 2004 in July. It is the sixth year that the privacy group has run a competition to name those who have "done the most to devastate privacy and civil liberties in the UK". The Most Appalling Project accolade went to England's National Programme for IT in the NHS, for its national database of medical records and its continuance of plans to computerise medical records in a way that is both insecure and dangerous to patients' privacy. Issues involving patients' informed consent and overall control of the information in the records are currently of most concern."
Computer loophole hits hi-tech NHS trial (14 Nov 2004)
Sunday Times
http://www.timesonline.co.uk/newspaper/0,,176-1358226,00.html
"Part of the trial for the government's multi-million-pound scheme to computerise the National Health Service has been halted over fears that patient confidentiality may be compromised. Medical staff in a pilot project for the "choose and book" appointments system - designed to speed up referrals to consultants - claim it gives any doctor access to any GP's patient's records and allows them to make changes. Confidentiality is just one problem detailed in a leaked memo by a project leader in the national programme for information technology (NPfIT) which outlines seven reasons why doctors have refused to use the system, even in trials. . . The leaked document informed trusts involved in the scheme that doctors in Barnsley had refused to use the system. Although clinicians had been given access from July, "no actual live bookings have taken place". The scheme was then temporarily halted. The memo details a wide range of problems. In addition to allowing any user to access a patient's records, the system does not keep sensitive details such as HIV and pregnancy terminations from being made available on the NHS's central computer."
Sources of Complexity in the Design of Healthcare Systems: Autonomy vs. Governance (10 Mar 2005)
Workshop on Complexity in Design and Engineering, University of Glasgow
http://www.dcs.gla.ac.uk/~johnson/complexity/Proceedings/Dave_England.PDF
". . . In both the UK and US there are national initiatives to introduce greater use of IT in clinical settings. The broad aims of the NPFit (UK) and PACIT (USA) programmes are similar. They aim to streamline data processing to cut costs and reduce clinical errors. For example, it is proposed that electronic prescribing of medicines will cut costs in paperwork and reduce prescribing errors which account for a large number of patient deaths (44,000 to 98,000 deaths caused by medical errors in the USA). Both schemes aim to introduce electronic patient records, again to cut costs of paper records and reduce errors from paperbased systems. Both systems also look to more clinical governance and audit of medical processes so that medical staff are more accountable for their actions. The UK initiative is already displaying the signs of a large project out of control with the projected costs of £6Bn rising to between £18Bn and £31Bn. The lack of user centred design is evident by a recent (BBC) poll showing 75% of family doctors are not certain that NPFit will ever meets its goals. The first stage of the electronic appointment systems has largely failed to meets its use targets. However, a smaller scale introduction of region-wide IT in the Wirral was more widely accepted with 90% of family surgeries and the vast number of patients accepting the system. Thus IT systems can succeed. This is important for our work, for in order to succeed, it requires a working IT health infrastructure. Furthermore the twin goals of cost and error reduction may be mutually incompatible. As Reason points out (Reason 1997) organisations have processes for productivity and safety but circumstances will arise, either through unsafe acts or latent system weaknesses, which lead to organisational failure. Safety protocols may be violated in the name of efficiency or sets of latent weaknesses will line up to cause an accident. Many individual errors are the result of cognitive under-specification (Reason 1990) of the user"s tasks. In our project we aim to over-specify and support clinical tasks by describing them in the situation calculus. This will provide a robust means of supporting decision making and ensuring that chances to decisions protocols remain valid. . ." [A. Taleb-Bendiab et al]
Doctor's notes (29 Mar 2005)
The Guardian
http://www.guardian.co.uk/g2/story/0,,1447062,00.html
"Electronic medical records for all UK patients are in the final stages of planning. . . . But electronic medical records will not just be open to your necessary healthcare staff. Pilot studies have shown instances where the Department of Work and Pensions has accessed medical records in respect of benefit payments."
NHS Confidentiality Consultation - FIPR Response (25 Jun 2005)
FIPR
http://www.cl.cam.ac.uk/~rja14/fiprmedconf.html
"The fundamental question is whether the Department of Health should have a database containing a fairly complete record of every hospital treatment in the UK, including not just the treatment code and the cost, but also the name and address of the patient. A secondary question is whether the Department of Health should have an accessible central record of all a patient's care relationships. . . FIPR believes that no one in central government - whether ministers, DoH officials or NHS central managers - should have access to identifiable health information on the whole UK population. This is backed up by studies showing that although patients trust their carers with medical information, the majority do not trust NHS administrators."
Confidentiality - the final betrayal (25 Jun 2005)
BMJ Careers
http://careerfocus.bmj.com/cgi/reprint/330/7506/gp259.pdf
". . . The NHS National Programme for Information Technology (NpfIT) in England and Wales, now renamed as "Connecting for Health," has ordained that there will be an electronic patient record, and Scotland is not far behind. That record will not be in the form of a smartcard in the possession and control of the patient, but will be on a central database that will be shared among "the NHS family," albeit that blandishments over "need to know" are regularly issued. Initial ministerial promises that patients will be able to control what information is placed on what is known as "the spine" (information accessible to clinical staff outside the practice) are inexorably being undermined. Patients are authoritatively told that in an emergency it is essential that information is instantly available to wherever a patient may turn up; they seem to forget that Alexander Graham Bell"s invention was sufficient for this purpose during the whole of the 20th century. Until the potential consequences of this information incontinence are thought through, patients are initially attracted by it, perhaps forgetting that they developed their antibiotic rash after treatment for an embarrassing illness acquired during an extramarital adventure while on a business trip to Amsterdam. Once the genie of confidentiality is let out of the bottle it cannot be put back in, and the unintended consequence could well be that patients become reluctant to discuss the most intimate details of their health with their general practitioners. "There will be high security and audit trails," say the enthusiasts of electronic medical records, but I suggest that they are the equivalent of making your bank username and password potentially available to the entire clinical staff of what is the largest single employer in northern Europe"the NHS. In the United Kingdom we already have a flourishing business in identity theft. Am I being told that it will be impossible for a corrupt NHS employee to acquire the IT identity of another clinician? The first enquiry to be actively encouraged by unscrupulous investigative journalists will be for access to one Blair, Leo, dob 20 May 2000, address London SW1A 2AA, to see what childhood injections were administered. . ."
PCT safety culture needed to prevent errors (30 Sep 2005)
e-Health Insider Primary Care
http://www.ehiprimarycare.com/news/item.cfm?ID=1458
"A lack of understanding about IT systems and a failure to establish a safety culture are to blame for the publication of confidential information about 92 patients by a primary care trust, according to an investigation into the error. Melton, Rutland and Harborough PCT accidentally included identifiable information on 92 patients in its board papers and sent the information out to 35 people including the local media. The details, including patients" names, addresses and telephone numbers and the reasons why they had called an out-of-hours centre, were also available on the PCT"s website for a short time. The 32 page report into the incident by the PCT includes recommendations that the PCT promotes a safety culture in the use of information, raises staff awareness of IT systems, policies and procedures and reviews the use of patient identifiable information. . . The report says that the out of hours software package used by the PCT, Adastra, was not able to provide the detailed information required by the board so the PCT downloaded the data for more detailed analysis using Excel software. The subsequent document produced by "manager A" and overseen by "director B" included graphs created in Excel and then cut and pasted into a Word document with embedded information on all the patients who had attended two out of hours centres on two bank holidays in May. The report adds: "Neither Director A or Manager B were aware of the presence of embedded data within these graphs or that patient identifiable data was present for the May Bank Holiday attendance." The report reveals that due to pressure of work Manager A had also breached PCT policy by taking the relevant information home using a USB memory stick, making changes to the document and emailing it back to Director A in the early hours of the morning. . ."
Thousands of children at risk after computer fault (26 Feb 2006)
The Observer
http://www.guardian.co.uk/medicine/story/0,,1718325,00.html
"As many as 3,000 babies and toddlers may have gone without crucial vaccinations because a privatised NHS computer system has failed to monitor which children are due for jabs and whether they have received them. An Observer investigation has found that the child health information system, introduced last summer as part of the government's £7 billion IT programme, has derailed the country's entire vaccination programme, leaving health staff resorting to slips of paper to work out who needs immunising. Several women whose babies were stillborn have received letters asking them to take their babies for their first vaccinations. . . The problems began last summer, when primary care trusts across north London and Essex, covering some five million adults and children, switched over to a new system - Child Health Interim Applications (CHIA), run by BT. The system was supposed to work across different health districts, replacing one that for years had collected all the data of the immunisation of pre-school children. It was supposed to trigger an automatic response when a child was due to have a jab. . . But, according to the Health Protection Agency and others, it soon emerged that CHIA was not capable of producing the lists needed to record immunisation status of children. Nor was it capable of monitoring the health of the children, to show whether any suffered side-effects from vaccines. "
Focus: Anatomy of a £15bn gamble (16 Apr 2006)
Sunday Times
http://www.timesonline.co.uk/article/0,,2087-2136718.html
"The Nuffield Orthopaedic Centre was at the forefront of a multi-billion-pound revolution to modernise the entire computer system of the National Health Service " and the screens had suddenly frozen. Medical staff looked on in disbelief as they tried to retrieve lost records. . . Although the system was functioning again the next day, some patient files seemed to have disappeared completely. The trust was so alarmed that it sent a report to the National Patient Safety Agency, warning that it had posed a potential risk to patients."
Paradoxical access (May 2006)
Dr. Paul Thornton
http://www.ardenhoe.demon.co.uk/privacy/Paradoxical%20access.pdf
"Patient records will be unavailable for care with consent but widely accessible to others contrary to the wishes of patients. . . Large numbers of patients who live close to the boundaries between clusters will find that their GP in one "cluster" is unable to share a detailed care record even with the patient's consultant in the local District General Hospital if it is in the adjacent "cluster". GP's may even be disconnected from cross boundary district nursing teams. . . The active, expressed dissent of the patient will be required to place limited restrictions on the access to information. The proposals do not reach the standard of dialogue required for "implied" consent that was set by the previous Information Commissioner."
When did we last see your data? (8 Jun 2006)
The Guardian
http://technology.guardian.co.uk/weekly/story/0,,1792102,00.html
"Last month, the Information Commissioner's Office (ICO), the state-funded watchdog for personal data, published a report, What Price Privacy?. The title's question was answered with a price list of public-sector data: £17.50 for the address of someone who is on the electoral register but has opted out of the freely available edited version; £150 to £200 for a vehicle record held by the Driver and Vehicle Licensing Agency; £500 for access to a criminal record. The private sector also leaks: £75 buys the address associated with a mobile phone number, and £750 will get the account details. . . Medical professionals are concerned about risks to data security caused by the creation of the NHS's Connecting for Health's Care Records Service. That will establish electronic patient records for everyone in England, accessible at any NHS site, and replace on-site computerised or paper patient records. Users log on using a "chip and pin" smart card and number. Access will be limited to those with a reason, and there will be an audit trail. Patients will be able to put sensitive information in an electronic "sealed envelope". Last week Lord Warner, the health minister responsible, said the overall programme is more than two years late - due partly to software problems, but also to disagreements over access to records. Of 787 doctors contacted recently by researcher Medix for the BBC, 44% disagreed that the proposals to maintain confidentiality of records were satisfactory, while 21% agreed. Among GPs, 57% disagreed and 13% agreed. Dr Richard Vautrey, a Leeds GP and member of the British Medical Association's GP committee, says the technical security seems state of the art. However, "the proposal is that there will be an assumption of consent that records can be shared", he says. Patients will have to opt out of sharing. And it is not clear who might see records, Vautrey says. "The patient may be happy for a consultant to have access, but not a social worker." But once data is on the national system, patients may be unable to stop access by other parts of government, he adds. That could damage the trust between patients and doctors. Patients might refuse to divulge data, or demand a second "private" record is created - just what the system was meant to prevent."
GPs and their families urged to boycott NHS 'spine' (20 Jun 2006)
e-Health insider Primary Care
http://www.ehiprimarycare.com/news/item.cfm?ID=1956
"Last week"s local medical committees" conference voted in favour of a proposal to advise GPs to consider withdrawing from the spine after hearing about access to the personal demographics service (PDS) which holds demographic data on every patient in England. . . A total of 54% of representatives voted in favour of the proposal with 46% against despite a speech in defence of the PDS from Dr Gillian Braunold, national GP clinical lead for Connecting for Health and a GP in London."
Don't trust our data to NHS computers (22 Jun 2006)
Times Online
http://www.timesonline.co.uk/article/0,,8122-2236581,00.html
". . . If hackers could penetrate the Pentagon programs, the NHS database with its countless access points and numerous bona fide password holders will be easy pickings for hackers. It will also provide all the data that any government department should decide it must have so that, for example, an identity card database would be superfluous. And what happens when the system goes down, either for maintenance purposes or it crashes? No computer program is guaranteed crash-proof. I wouldn"t want my data to be unavailable when the worst happens to me. I would want it on hard copy. If the powers-that-be wanted a safe method of storing personal data, surely the smart-card system, whereby everyone had their own data on their own card kept in their purse or wallet, would be free from hackers and free from computer crashes."
NHS database? No one asked me! (7 Jul 2006)
The Register
http://www.theregister.co.uk/2006/07/05/nhs_readers_letter/
"I was horrifed to discover that here was the government creating a database of everyones patient records, records which up until now I had thought were privy only to my doctor and a few others at local level. . . I wrote to Patricia Hewitt's office and demanded an explanation and got by return a snooty letter saying how everyone would benefit from having access to their medical notes countrywide and how I should be grateful the database is being formed. . . Let's hear the other side of this debacle, how the Public is not being ASKED if it WANTS this database - what do you think the average person would say if they knew the implications of some nasty neighbour who worked in the NHS getting to look at their records or some hacker publishing their records on the Net? How cheated do you think a rape victim will feel if everybody gets to know because someone accidentally, or deliberately makes the information public? How long will it be before we all start getting refused insurance with no explanation and then find our insurance companies have read our medical history?"
NHS trust uncovers password sharing risk to patient data (11 Jul 2006)
Computer Weekly
The UK's largest NHS trust has discovered endemic sharing of passwords and log-in identifications by staff, recording 70,000 cases of "inappropriate access" to systems, including medical records, in one month. The Leeds Teaching Hospitals NHS Trust said there was a "wholesale sharing and passing on of system log-in identifications and passwords" and it warned that uncontrolled access "presents a considerable risk to the security of patient data" and consequently puts the trust at risk. The Leeds trust is the largest in the UK and includes the biggest teaching hospital in Europe. It has a budget of £730m, employs 14,000 people across eight sites and treats about one million patients a year. A management paper to the trust's main board, dated 6 July, said that in one month alone "70,000 examples were detected of inappropriate access of IT systems by trust staff". The paper added, "This took the form of wholesale sharing and passing on of system log-in identifications and passwords. The system misuse was widespread across departments, sites and disciplines." Doctors said the sharing of codes which give access to NHS systems and medical records was an ingrained practice within the NHS. This culture was recognised as a threat to the confidentiality of medical records which are due to be uploaded from local systems to a national data spine under the NHS's National Programme for IT (NPfIT). Under the NPfIT, sensitive information on 50 million people in England is due to go online, although this has not happened yet. NHS managers can discipline staff after a breach has occurred - but they cannot stop it happening. . ."
Doctors attack NHS IT system: Patient confidentiality at risk, say concerned sawbones (26 Jul 2006)
The Register
http://www.theregister.co.uk/2006/07/19/patient_confidentiality_risk/
"Doctors have spoken out against the controversial £12.4bn NHS IT system that is over budget and behind schedule, claiming that patient confidentiality is being put at risk by the system. Writing in the British Medical Journal, a series of doctors have said that it is unwise to put the medical records of the entire population on one computer. . . Meanwhile a report has discovered that NHS IT system security is being compromised because of poor or non-existent mobile device security. Carried out by Pointsec Mobile Technologies and the British Journal of Healthcare Computing and Information Management, the survey has found that two thirds of mobile data storage devices have inadequate security."
Call for national standards on remote access (22 Aug 2006)
e-Health Insider Primary Care
http://www.ehiprimarycare.com/news/item.cfm?ID=2081
"GPs are calling for national standards on remote access to practice computer systems because of concerns that present methods could potentially put patient data at risk. Dr Paul Bromley, a GP in Leek, Staffordshire, and colleagues from the EMIS National User Group are unhappy that the current arrangements delegate decision-making to primary care trusts (PCTs) and argue that definitive national guidance is needed. Dr Bromley, who has developed a special interest in remote access over the last few years, says that for several years he used the solution offered by Cable and Wireless, and latterly BT, which secured the connection between the remote computer and NHSnet. He told EHI Primary Care: "It was only later, after somebody pointed it out to me, that I realised the virtual private network tunnel only went as far as the NHSnet connection, not all the way to our practice server and so could be intercepted form within NHSnet." . . . The issue of remote access was the responsibility of the NHS Information Authority. Since its demise, however, this has been delegated to PCTs. GPs say they are concerned that no-one at PCT level will have sufficient expertise in remote access security."
Connecting for Health: IT and Patient Safety (24 Oct 2006)
Patient Safety
http://www.patient-safety.org.uk/October24.htm
"This meeting of the All-Party Parliamentary Group on Patient Safety aimed to discuss issues surrounding the Connecting for Health programme and to consider more broadly how IT solutions can best benefit NHS patients and practitioners.. . . Nigel Hawkes CBE, Health Editor of The Times stated that in principle the Connecting for Health programme is a positive step forward in providing safer patient care in the NHS. However, Mr Hawkes stressed that the Connecting for Health programme is currently largely incomplete and thus at present largely untested. He expressed concerns about system failures on the programme that have already happened in isolated areas and added that such failures could be disastrous if they occurred on a national scale. Mr Hawkes called for a greater provision of public information from the Government around the programme, so that patients fully understand how Connecting for Health will operate across the NHS. . . Dr Hamish Meldrum, Chairman of the General Practitioners Committee at British Medical Association, stressed that the introduction of IT systems to the NHS must be an evolutionary process and not thrust upon staff. From a GP's perspective, Dr Meldrum stated that Connecting for Health would in theory provide fast and reliable access to patients' medical records, which in turn will help inform clinical decisions. . ."
Warning over privacy of 50m patient files: Call for boycott of medical database accessible by up to 250,000 NHS staff (1 Nov 2006)
The Guardian
http://society.guardian.co.uk/health/news/0,,1936403,00.html (Front page lead story)
Millions of personal medical records are to be uploaded regardless of patients' wishes to a central national database from where information can be made available to police and security services, the Guardian has learned. Details of mental illnesses, abortions, pregnancy, HIV status, drug-taking, or alcoholism may also be included, and there are no laws to prevent DNA profiles being added. The uploading is planned under Whitehall's bedevilled £12bn scheme to computerise the health service. After two years of confusion and delays, the system will start coming into effect in stages early next year. Though the government says the database will revolutionise management of the NHS, civil liberties critics are calling it "data rape" and are urging Britons to boycott it. The British Medical Association also has reservations. "We believe that the government should get the explicit permission of patients before transferring their information on to the central database," a spokeswoman said yesterday. And a Guardian inquiry has found a lack of safeguards against access to the records once they are on the Spine, the computer designed to collect details automatically from doctors and hospitals. The NHS initiative is the world's biggest civilian IT project. In the scheme, each person's cradle-to-grave medical records no longer remain in the confidential custody of their GP practice. Instead, up to 50m medical summaries will be loaded on the "Spine. The health department's IT agency has made it clear that the public will not be able to object to information being loaded on to the database: "Patients will have data uploaded ... Patients do not have the right to say the information cannot be held." Once the data is uploaded, the onus is on patients to speak out if they do not want their records seen by other people. If they do object, an on-screen "flag" will be added to their records. But any objection can be overridden "in the public interest". . ."
http://society.guardian.co.uk/health/news/0,,1936149,00.html (Full story: "From cradle to grave, your files available to a cast of thousands")
Spine-chilling (1 Nov 2006)
The Guardian (Leader)
http://www.guardian.co.uk/commentisfree/story/0,,1936254,00.html
"The most closely guarded of secrets are often medical. A history of depression, a sexually transmitted disease or a long-ago abortion may well be deeply personal matters which many people would wish to remain private. Likewise, anyone who has recovered from a drug problem or from a suicide attempt may dread nothing more than these facts about their past getting into the wrong hands. Sometimes the desire for privacy reflects disposition, sometimes the potential impact on work or on family. Whatever the grounds, there is a right to expect that the confidentiality of one's medical history should be respected.Which is why there are good causes for alarm in our reports today about the way in which such data is being transferred to electronic records. There is a cause for real doubt about whether medical privacy can continue to be guaranteed. The creation of a centralised "spine" of all English medical records is at the heart of the government's £12bn IT programme, Connecting for Health. Modernisation, if carried out properly, offers advantages over a paper-based system. Currently, if someone falls ill away from home, a doctor can be left treating them with one hand tied behind their back, until the sluggish paper-trail catches up. A well-run computerised system should allow records to be accessed wherever they were needed. In principle, it should be possible to devise the system in a way that couples these gains with stringent privacy safeguards. But that is not what is happening. For one thing, under the plans, non-medical authorities could sometimes access the data when this is judged in the public interest. For another, it remains unclear whether patients will be able to block sensitive facts about themselves from being put on the general database. A third worry is the lack of clear rules limiting the type of information held on the database. Reassurance is especially urgent because of the poor record of government IT in general, and the unhappy history of Connecting for Health, in particular. With 250,000 people having access to the spine, the records will be as good as public unless the technology carefully controls who sees what. The Information Commissioner's recent damning report on privacy revealed a flourishing trade by private investigators in snooping out personal information from supposedly secure systems. Until it can be shown that confidentiality can be guaranteed, patients will be understandably uncomfortable about entrusting the system with their records. The case for efficiency is strong, but not at any cost. Privacy matters too."
A national database is not essential' What health professionals say about the new NHS database (1 Nov 2006)
The Guardian
http://society.guardian.co.uk/health/news/0,,1936174,00.html
"Paul Thornton, who has a website and runs a GP practice near Birmingham, wants the BMA to get counsel's opinion on the scheme. He says the Spine is dangerous and unnecessary. "A national database is not essential ... other mechanisms exist for the sharing of relevant information between directly involved health professionals ... without the need to leave a copy of the information on the nationally accessible database." This view is supported on practical grounds by Richard Fitton, a Derbyshire GP who has pioneered computer access by his patients to their own local records and was a member of the government's NHS IT advisory body. He told a Warwick University conference he disagreed with data being loaded on to a central system and preferred localised databases for patient care. He is an enthusiastic supporter of electronic record-sharing, with patient consent. But he says: "I've never liked uploading to the Spine - it's the wrong idea." . . . Richard Vautrey, who is a member of the BMA and the GP working parties on the subject, says "sealed envelopes" are probably unworkable, no agreement has been reached yet over the issue of explicit consent, and the data on the Spine could be attractive to the police. . ."
The woman falsely labelled alcoholic by the NHS (2 Nov 2006)
The Guardian
http://society.guardian.co.uk/e-public/story/0,,1937302,00.html
"Helen Wilkinson was mistakenly labelled an alcoholic after a simple computer error by the NHS. An unknown official at a hospital was updating her medical records and inputted a wrong code. The mix-up meant she was recorded as having received treatment for alcoholism, instead of surgery. Ms Wilkinson, 40, was furious and began a campaign to have all information about her permanently removed from the hospital's databanks. But she ran into a problem: the NHS already keeps electronic records on everyone who receives treatment from the health service, whether they are seen by a GP or at a hospital. She succeeded in her campaign only because she took drastic action - she withdrew from the NHS altogether so that her records were deleted. Now she is refusing to be treated on the NHS ever again if her personal details are stored on an NHS computer. "I am putting myself at risk. I am not going back on a database if it kills me," she said. Her case highlights two problems which are likely to grow with the government's plan to create a national database for all patient medical records. Firstly, millions of patients will inevitably have mistakes in their computerised records which will in the future be read by more people than in the past. The government has not yet delivered on a promise that patients will be able to check their records on the internet for mistakes. Officials say that "there is no firm date yet". Secondly, there is an unresolved question of whether patients who refuse to go on to national databases will still be allowed to receive treatment. . ."
Ministers to put patients' details on central database despite objections (2 Nov 2006)
The Guardian
http://www.guardian.co.uk/uk_news/story/0,,1937012,00.html
"Health ministers vowed yesterday to press ahead with uploading millions of medical records on to a central NHS database, even if many people objected to their personal details being included. The Department of Health scorned a campaign, described in the Guardian yesterday, to force the government to abandon the scheme on the grounds that it could breach the confidentiality of personal information. . . But some doctors and security experts have cast doubt on whether sensitive personal data might be divulged to the police or stolen by computer hackers. Ross Anderson, professor of security engineering at Cambridge University, said: "If enough people boycott having centralised NHS records, with a bit of luck the service will be abandoned." The government said there was no question of backtracking. Lord Warner, the health minister, said: "Health professionals cannot treat patients and decide to keep no record of it. Those records are not the property of GPs. Other health professionals need to access them to provide safe treatment. In that context, we have no intention of moving away from implementing the electronic care record. But we will ensure there is a public information campaign so that people know what is happening." The department will start uploading information about patients in two "early adopter" areas of England in the spring. "We will go ahead on the basis of implicit consent ... People can then choose to opt out of the system, but we will counsel them that if they do so they might jeopardise their safety. They would be saying nobody could have access to the information without their informed consent - and that might be difficult after an accident." By opting out, people could not get their medical record removed from the national database. . ."
NHS plan for central patient database alarms doctors (21 Nov 2006)
The Guardian
http://society.guardian.co.uk/e-public/story/0,,1953185,00.html
"A poll of doctors about the new £12bn computer system for the NHS shows growing unease about a potential threat to patients' rights. After answering questions by the medical pollsters Medix, the GPs and hospital doctors were invited to volunteer comments. Richard Johnson, a GP from Dalton-in-Furness, Cumbria, said: "I am extremely concerned that the public is unaware of the fact that their personal medical records may be uploaded to the national Spine [central database] without any real safeguard about who can access them. I believe such a move will destroy the concept of medical confidentiality and that patients will be unwilling to confide in their doctors and doctors may well be unwilling to record information given in confidence." Another GP said: "I feel we are being pressured into disclosures that would have been actionable by the GMC a few years ago." . . . The GPs were particularly critical of Choose and Book, which allows them to electronically book hospital appointments at a time convenient to their patients. The poll found half of GPs use the system for more than 40% of referrals. But among these regular users 90% say it increases the time taken to refer a patient to hospital and 70% think it is detrimental to patient care or makes no difference. One GP said: "Choose and Book is an unmitigated disaster. Patients want to be referred to a doctor I know, not a building from a brochure." . . ."
GPs revolt over patient files privacy (21 Nov 2006)
The Guardian
http://society.guardian.co.uk/health/story/0,,1953212,00.html
"About 50% of family doctors are threatening to defy government instructions to automatically put patient records on a new national database because of fears that they will not be safe, a Guardian poll reveals today. It shows that GPs are expressing grave doubts about access to the "Spine" - an electronic warehouse being built to store information on about 50 million patients - and how information on it could be vulnerable to hackers, bribery and blackmail. . . Ministers have committed a large slice of the NHS's £12bn IT upgrade to developing the Spine. They acted on the assumption that doctors would provide the information without asking their patients' permission first. The new system has been constructed to upload information from GPs' computer systems automatically, without giving patients a say. But the poll found 51% of GPs are unwilling to allow this uploading without getting each patient's specific consent. Only 13% say they are willing to proceed without consent and the rest are unsure or lack enough information to comment. Asked to identify the three most important concerns about confidentiality, 62% of GPs and 56% of hospital doctors said they were worried about "outsiders hacking into the system"; 62% of GPs and 51% of hospital doctors similarly feared "access by public officials outside health or social care". Other big fears included "bribery or blackmail of people with access to the records" and concern about "clinicians not adhering to the rules". . ."
GPs threaten to snub NHS database (21 Nov 2006)
BBC News
http://news.bbc.co.uk/1/low/health/6167924.stm
"Half of all GPs will consider refusing to put patient records automatically on to a new national database in defiance of the government, a survey finds. The Guardian newspaper poll of 1,026 GPs and hospital doctors found many doubted the security of the new system. Four out of five thought the confidentiality of their patients' records would be at risk. The government hopes the new database will store medical information on about 50 million patients in England. The electronic warehouse, dubbed Spine, is part of the NHS's £12bn IT upgrade, which aims to link up 30,000 GPs to nearly 300 hospitals and give patients access to their personal health and care information. The Guardian poll found that while most GPs believed a national electronic record would bring clinical benefits to patients, 51% were unwilling to allow people's data to be uploaded without their permission. More than 60% said they feared the system would be vulnerable to hackers and unauthorised access by public officials from outside the NHS and social care. . ."
Children"s Databases: Safety and Privacy - A Report for the Information Commissioner (21 Nov 2006)
Foundation for Information Policy Research
http://www.fipr.org/childrens_databases.pdf
". . .Conclusion: This is a critical point at the evolution of data protection law and practice in the UK. Britain has paid less attention to privacy than our continental partners; the weak implementation of European data-protection law and the poor resourcing of the Information Commissioner"s office are familiar enough complaints. At the same time, a number of centralising initiatives (from the NHS Care Records Service to the ID cards project) have combined to raise public disquiet about privacy. . . The children"s database systems will shortly be followed by other social-care systems, notably for older people and for the mentally ill. Data collection under the rubric of social care will leave few families in Britain untouched. Ultimately, if illegal systems are built, they will be challenged in the courts. If the Commissioner prevents that by regulatory action now, he may irritate the system owners in the short run " but will save much more anguish and expense later."
Doctors have 'very legitimate concerns' over NHT IT patient records say Lib Dems (22 Nov 2006)
PublicTechnology.net
http://publictechnology.net/modules.php?op=modload&name=News&file=article&sid=6853
"Commenting on a survey suggesting half of all family doctors could refuse to put patient records on a new national database because of fears they will not be safe, Liberal Democrat Health Spokesperson, John Pugh MP said: "These doctors have very legitimate concerns. The Government"s new computer system will enable private patient records to be uploaded and available to a number of agencies outside of the NHS without the patient being any the wiser. There is a danger the public interest exception may be used as convenient catch-all to justify any kind of snooping by a public body. Patients and doctors need to know how access to this highly personal information is to be controlled in practice, and how unnecessary intrusion into a very private sphere is to be identified and prevented. Without real clarity and meaningful assurances, the NHS IT system risks being yet another expensive bureaucratic mess that undermines civil liberties." In a letter to John Pugh, Richard Thomas, the Information Commissioner (16th November 2006) confirmed: "It is my understanding that a disclosure will not be made to an organisation beyond the NHS unless the patient consents, the law allows it; there is a court order or the disclosure is considered to be in the overriding public interest." . . ."
Work begins on merging Health and Social care records (24 Nov 2006)
The Register
http://www.theregister.co.uk/2006/11/24/health_social_record/
"Work has begun on a social care equivalent of the care records guarantee for medical records, paving the way for merging health and social care records. The plans were disclosed as part of a debate at the annual Care Records Development Board meeting in London, yesterday. The work is still at a very eary stage, and no final decision has been taken as to whether or not a single record will be created. But the possibility of two services sharing data in this way illustrates exactly those concerns about patient privacy and confidentiality that have been raised by opponents of a centralised medical records database. The workshop - a group of forty or so patients, health professionals and other interested parties - was asked to debate the proposition that there should be a "single holistic record" of patient care, encompassing not just health records, but social care information. The idea, the session chair explained, is that information should meet the needs of the individual, rather than the other way around. It was during the ensuing debate that the news of the planned social care records guarantee emerged. The care records guarantee (pdf) sets out the rules that will govern the management of information in medical records when the NHS Care Records Service goes live next year. . . Many of those attending the workshop were concerned that sharing records would dilute the quality of care, and could compromise the quality of a patient's relationships with his or her carers. Some people might be reluctant to share information with their GPs if they thought social services would also have access to that information, one delegate suggested. . ."
CfH report confirms confidentiality risk (27 Nov 2006)
The Register
http://www.theregister.co.uk/2006/11/27/care_record_conf/
"Plans to upload medical records onto a central database - the so-called spine - will put patient confidentiality at risk, Connecting for Health (CfH) has been told by its own consultants. In its own risk analysis of the project, the agency responsible for centralising the country's medical records has acknowledged that GPs' concerns about patient confidentiality have merit, and that it would be safer to store records locally. According to Helen Wilkinson-Maker of The Big Opt Out, a campaign group opposed to the spine, the risk analysis was intended to consider two scenarios: a spine with and without "sealed envelopes", sections of the medical record marked by the patient as not to be shared. However, during the consultation with health professionals, civil servants, and patient representatives, a third scenario was put forward for analysis: that of locally held, digital medical records. This was found to present much lower risk of confidentiality breaches, according to the report. . . The consultants identified a conflict between patient safety and confidentiality: records with some details kept hidden were found to put patient safety at a greater risk than those with all the medical information in the clear. This is because the potential for error in diagnosis or treatment is much higher if all the facts are not known, the report says. Meanwhile, patient confidentiality is at its most secure when some information is not just sealed in a single envelope, but in a variety of envelopes, with data being stored locally, and therefore only being accessible locally. . ."
Local sealed envelopes 'probably safer' (28 Nov 2006)
e-Health Insider
http://www.ehiprimarycare.com/news/item.cfm?ID=2302
"A risk analysis conducted for NHS Connecting for Health has concluded that patient care would probably be safer using locally held sealed envelopes rather than storing them on the NHS data spine. The recommendations in the internal document, written by risk management company Det Norske Veritas and delivered to CfH in September, would seem to cut across the Department of Health"s original vision that Detailed Care Records for every patient will be held on the spine, including sealed envelopes. EHI Primary Care understands that CfH"s current policy on sealed envelopes, as outlined by Professor Mike Pringle, co-GP clinical lead at GP engagement events across the country, is for a two tier system of "sensitive" and "extra sensitive" information for sealed envelopes with extra sensitive information not available outside the clinical team that created it. Dr Paul Thornton, a GP in Kingsbury, Warwickshire who is campaigning against the consent and confidentiality proposals for the NHS Care Records Service (NCRS), is publicising the report which he says highlights the problems of holding all patients" records on the spine. He said: "These confidentiality risks to health have been found to outweigh the benefits from automatic sharing of health information on a national database. The more that information is accessible by all health workers, the less likely it becomes that crucial information will be divulged to any one of us." The Det Norske Veritas consultants were originally asked by CfH to weigh up the relative risks of sealing information against a situation where sealed envelopes were not available. During the course of compiling the report a third possible approach, of sealed envelopes held locally, was included in the review and the conclusion was that it provided the lowest risk to patient safety and confidentiality. . ."
GPs fear flawed computer system (28 Nov 2006)
EDP.24
"A central database of patient records is proving expensive and potentially flawed, doctors in East Anglia are warning. An electronic system, called the Spine, is being set up to store the medical details of 50m patients across the country. But there are concerns about who will have access to it and whether it will be vulnerable to computer hackers. Half of family doctors in a recent survey said they would refuse to add their patients' records to it. Simon Lockett, secretary of Norfolk's Local Medical Committee of GPs, said: "There is no particular reason why the technology shouldn't ensure good confidentiality, but obviously human error is possible and I know some patients feel very strongly about confidentiality. Most of us feel the technology is possible and can probably be operated in a safe way, but I am sure it will cost an awful lot and may not happen at all." Geoff Reason, Eastern region head of health for public sector union Unison, said: "Our concerns are around the management of the project. The NHS has not got a completely brilliant record when it comes to implementing IT. There is a feeling they have tried to do too much at once and there are real concerns around privacy given the ease with which people might be able to hack into computers." Some patients in Norfolk have already written to their doctors to ask that their details are not added to the Spine."
Most patients reject NHS database in poll (30 Nov 2006)
The Guardian
http://www.guardian.co.uk/uk_news/story/0,,1960170,00.html
"A national campaign was launched last night to persuade people to refuse on privacy grounds to have their medical records uploaded to a national database. Guy Herbert, of the No2ID group, which is also campaigning against the introduction of identity cards, said: "We'd like to get up to a million people to contact their GPs." The campaigners, who are part-financed by the charitable Joseph Rowntree trust, released ICM poll findings commissioned by the trust which they said showed a majority of the population was hostile to Whitehall's plans. The figures show 53% of those questioned were either "strongly opposed" or "tended to oppose" the centrepiece of the Department of Health's £12bn NHS computerisation scheme. . . On the platform at last night's campaign launch in London was the former Conservative foreign secretary Sir Malcolm Rifkind. Although he and the Tories are not officially linked to the NHS data opt-out campaign, he spoke in support of opposition to identity cards, and to government databases in general. Sir Malcolm said: "The case for identity cards or other large databases must be based upon hard evidence." There had to be safeguards in place against potential abuse: "These criteria are not being met on either ID cards or other measures that restrict civil liberties." . . . The government claims there will be elaborate safeguards built into the system which will prevent unauthorised access to the intimate medical details of 50 million people. But Connecting for Health, the NHS agency responsible for the database programme, suffers another blow today. The latest issue of the GPs' magazine Pulse describes an internal health department report which found that so-called "sealed envelopes" - a key part of the planned data safeguards - were likely to be insecure. The department was hoping to deal with this problem by introducing a further layer of security - the "sealed and locked envelope", which could only be opened by the clinician who originally composed the file. But Dr Paul Thornton, a GP in Kingsbury, Warwickshire, who is one of the No campaigners, said this would not necessarily solve the problem.
GPs angered by call to reveal names of NHS database rebels (2 Dec 2006)
The Guardian
http://www.guardian.co.uk/uk_news/story/0,,1962282,00.html
"The Department of Health provoked uproar among doctors yesterday by asking GPs in England to send in correspondence from objectors who do not want their confidential medical records placed on the Spine, a national NHS database. Sir Liam Donaldson, the chief medical officer, said letters from patients who want to keep their private medical details out of the government's reach should be sent to Patricia Hewitt, the health secretary, for "full consideration"." . . . GPs wrote to the General Medical Council asking for a ruling on whether Sir Liam had broken the doctors' code of good practice by using his authority to encourage GPs to breach patient confidentiality without clinical justification. Sir Liam's letter complained about "misleading statements" in a Guardian article on November 1 that the police and other agencies might be able to access medical records once they had been loaded on to the national database. The article included a form of words patients could use to ask Ms Hewitt to refrain from uploading their records without their explicit consent. Sir Liam said patients were sending a similar request to GPs instead of the health secretary. He added: "If you do receive any such letters I would ask you to send them to the Department of Health so they may receive full consideration." Hamish Meldrum, chairman of the BMA's GPs' committee, said: "The chief medical officer's intervention is not helpful and GPs should not forward these letters. It is possible that some patients might think this is a breach of confidentiality in that a letter sent to their GP is forwarded to somebody else without their consent." Paul Cundy, the BMA's spokesman on IT, said: "For a GP to forward such letters without the explicit consent of the patient would be a gross breach of privacy. In effect it is asking GPs to spy on his behalf. He should retract immediately. . ."
Health officials reject requests to opt out of patient database (4 Dec 2006)
The Guardian
http://www.guardian.co.uk/uk_news/story/0,,1963222,00.html
"Patients who have complained about the idea of having their confidential medical records uploaded on a new centralised NHS database were sent letters over the weekend flatly rejecting their concerns. In an uncompromising statement, the Department of Health said nobody could have genuine grounds for claiming "substantial and unwarranted distress" as a result of having their intimate medical details included on a national computer system, known as the Spine. For that reason, "it will not agree to their request to stop the process of adding their information to the new NHS database". . . Last night doctors' leaders said the department's letter failed to take account of patients' rights under the Data Protection Act to refuse to allow information about them to be copied from one database to another. Paul Cundy, joint chairman of the IT committee set up by the British Medical Association and Royal College of GPs, said: "Patients do not have to prove severe distress. If patients decide they do not want their medical notes to go on the national system, they have an unalienable right under the Data Protection Act to refuse." He said the department asked any patient with "unique and personal reasons for claiming substantial and unwarranted distress" to write explaining them to its Whitehall customer service centre. But Dr Cundy said this put patients in a Catch-22 situation. They were being asked to reveal to officials the specific reasons why they did not want information revealed to officials."
The temptations in a digital society (4 Dec 2006)
Media Guardian
http://media.guardian.co.uk/mediaguardian/story/0,,1963047,00.html
"The government's plans to digitise the nation's personal records could be a goldmine for journalists willing to break the law. Details on millions of people will be compiled in databases accessed by thousands of officals. The bigger the system and the more people that use it, the less secure it becomes. Ross Anderson, professor of security engineering at Cambridge University, sees a parallel in banks' moves from branch-based computer systems to centralised ones in the mid-1980s. Previously, accessing account data meant nobbling someone within the target branch or group of branches; and at present, a patient's GP notes are normally only available at their surgery. "It makes it much easier to get information out," he says. Staff using NHS systems, which will eventually include summary health records for all patients in England, log on with a smartcard and Pin number, but Anderson says he knows of an emergency ward where a nurse logs on at the start of a shift and leaves it open, to save time. The Department for Education is planning an index including every child in England. The Association of Chief Police Officers is using numberplate recognition technology to record the details of all vehicles passing CCTV cameras . The National Identity Register, which will eventually hold data on all adults including fingerprints and facial scans, may also act as a key to other databases. The Home Office says it vets staff - misuse of National Identity Register data can lead to jail sentences of up to 10 years. The Information Commissioner has called for stronger penalties for misuse of other data. But for unscrupulous journalists and investigators, the pickings could be rich."
Patients win right to keep records off NHS computer (16 Dec 2006)
The Guardian (Front page story)
http://www.guardian.co.uk/frontpage/story/0,,1973338,00.html
The government has bowed to privacy concerns about a new NHS computer system and conceded that patients should be allowed a veto on information about their medical history being passed from their GP to a national database. Following a Guardian campaign against the compulsory uploading of personal details to the system known as The Spine, Lord Warner, the health minister, will announce a plan that would allow individuals to review and correct their records and withhold them from the database. . . This month the Department of Health sent more than 1,300 curt letters rejecting requests from patients for their medical details to be kept off the national database. But ministers have changed their minds after advice from a taskforce on patient records headed by Harry Cayton, the department's "patient tsar". Under his scheme, GPs would ask every patient to give their explicit consent for a summary of their record to be put on the national database. They would be given a few weeks to review the summary and call for corrections or amendments to be made before they consented to the upload. In a key departure from the previous position, the taskforce said: "Some patients may ask for their summary care record not to be shared or uploaded at all." Lord Warner said it was not yet possible to guarantee a right of veto. Some doctors were concerned that patients might be putting themselves at risk by refusing access to records that could save their lives in an emergency. . . But he conceded it was technically possible for patients to refuse to let their data be uploaded and the government was considering how to make this happen. . . Lord Warner said the government remains firmly committed to the creation of a national database and hopes to persuade the vast majority of patients to consent to their records going on it. . . Lord Warner said 1,351 people wrote to Patricia Hewitt, the health secretary, demanding that their medical records should not be uploaded, using a form of words devised by Ross Anderson, professor of security engineering at Cambridge university, a leading critic of the scheme."
How patients' protests forced a rethink on NHS computer records (16 Dec 2006)
The Guardian
http://www.guardian.co.uk/uk_news/story/0,,1973239,00.html
"The government's change of policy on patient records, disclosed in the Guardian today, is the first departure from a roadmap drawn by Tony Blair in 2002 when he approved a scheme to spend billions on a new IT system for the NHS. The prime minister was captivated by the vision of a national database containing the medical records of 50 million patients throughout England. Heads of the corporations developing cutting edge technology convinced him that lives could be saved if doctors, nurses and paramedics could gain instant access to key information about patients that might cause conventional treatments to cause life-threatening reactions. nstead of consultants waiting for hours to locate the patient's GP and ask for relevant information, a paramedic on the scene would be able to access data from a palmtop computer. Who could object? Mr Blair thought nobody would when he authorised what eventually became a £12bn scheme to connect more than 30,000 GPs to nearly 300 hospitals and their outposts in the ambulance service. . . From the outset, the patient record was a key component, but nobody thought to ask whether patients minded having medical details put on a national system which could potentially be accessed by a large proportion of the NHS's 1.3 million staff. The British Medical Association was divided. Consultants in hospitals with poor IT systems were enthusiastic. GPs whose IT systems tended to be more up to date were anxious about sharing patients' medical secrets without asking consent. Lord Warner, the health minister, set up a taskforce under Harry Cayton, the patients' "tsar", to work out a compromise between GPs who wanted patients to choose to opt into the scheme and others who feared the most vulnerable patients would not bother to make the choice. For civil liberties campaigners, the internal debate missed the point. They mistrusted promises of electronic security locks. On November 1, the Guardian carried a coupon compiled by Ross Anderson, professor of security engineering at Cambridge University. It prompted 1,351 people to write to Patricia Hewitt, the health secretary, using the coupon or words from it, to demand their medical records should not be uploaded. . . Lord Warner's response will fall well short of a guarantee of a complete opt-out from the system. But he said the government is now concentrating on how to give the opt-out, not whether to give it."
Electronic care records go ahead (16 Dec 2006)
BBC News
http://news.bbc.co.uk/1/hi/health/6184043.stm
Ministers are to press on with plans for a controversial electronic medical records system. The government's patients' tsar Harry Cayton will say the system, which will hold records for 50m people in England, is needed to modernise the NHS. Only people who can prove the system will cause them substantial mental distress will be exempt. But doctors warned creating the record without a patient's consent could harm the doctor-patient relationship. Health correspondent Adam Brimelow said the computerised patient record scheme is central to a huge and expensive upgrade of the NHS IT system. Under the system, everyone will have a computer-based care file with basic information such as medication and allergies, drawn from GPs' records. A poll of over 1,000 GPs by the Guardian newspaper last month found half would consider refusing to put patient records automatically on to a new national database. Many said they doubted the security of the new system. Pilots will begin in the spring with national roll-out expected by the end of the year. The government says it aims to make unscheduled treatment - including care in emergencies - quicker and safer, as well as protect patient confidentiality. Patients will only be able to have their records removed if they can show holding them will cause them substantial mental distress. However, they will be allowed to check the details are correct and make amendments online. How more detailed and sensitive data will be stored is still being looked at. . ."
Minister admits U-turn on NHS database amid privacy fears (19 Dec 2006)
The Guardian
http://www.guardian.co.uk/guardianpolitics/story/0,,1975035,00.html
The government gave a categorical assurance yesterday that NHS patients would have an absolute right of veto on any part of their medical records being uploaded to a national database. The health minister Lord Warner confirmed a report in the Guardian on Saturday that the government was abandoning an attempt to oblige GPs to provide a medical summary on every patient for a centralised electronic record. He acknowledged changing the policy over the past few weeks in response to the concerns of patients who feared unauthorised disclosure of their medical histories. He said the fears were groundless but offered assurances that were firmer than in the briefing to the Guardian last week. He said: "For all of them, if they don't want to have their information uploaded, they can stop it before it is uploaded." However, he said that the campaigners did not have the right to stop the scheme completely: "People who want to say a curse on the devil and all his works can stop their information being uploaded, but they can't stop other people having the information about them uploaded." . . Helen Wilkinson, national coordinator of The Big Opt Out, a campaign against the database, said: "People should opt out now, if only to wait and see if the government delivers the 'protections' that it is promising and whether they are credible." . . ."
A question of consent (19 Dec 2006)
The Guardian (Leader)
http://www.guardian.co.uk/leaders/story/0,,1974883,00.html
"Seventy five pounds for an ex-directory number, £150 for the address a car is registered at and £500 for a criminal record. These are just some of the tariffs that the information commissioner last week revealed had been paid by journalists for personal data, exposing how established the market in snooping has become, in spite of strong theoretical safeguards. When, against this background, a new national patient register is being introduced - which a quarter of a million people will have some measure of access to - it is right that claimed guarantees of confidentiality be treated sceptically, however worthwhile the new database may be. And electronic records certainly could be useful, bolstering care where patients run into emergencies away from home, as well as speeding the transfer of information needed for day-to-day care when a patient moves from one physician to another. But with medical data being so personal, and with confidentiality at the heart of the patient-doctor relationship, both the Guardian and the British Medical Association expressed fears about whether the new centralised "spine" was really secure enough. Then, last month, our survey revealed that most family doctors shared these concerns and that half might defy the official requirement to upload their patients' details, potentially rendering the whole project unworkable. Yesterday, as it unveiled the next steps towards implementation, the government showed at least some signs of having listened. When the first information is uploaded, in trials next year, aside from demographics it will cover only allergies, medication and adverse reactions, all details that there is a clear clinical advantage in sharing. Yet, even with such tightly defined information, extremely serious implications for privacy remain. People on very many medications . . . may have deep anxieties about this being known by anyone but their own GP. That is why it is so crucial that the government seemed to signal yesterday that patients should be able to amend their details before they are uploaded, or indeed, to opt out of having their record shared at all. . . With such personal data, truly personal consent for sharing is surely needed."
Sending a shiver down my Spine (20 Dec 2006)
The Times
http://www.timesonline.co.uk/article/0,,6-2512104,00.html
"An electronic record, which we may see and correct, available instantly to any doctor or nurse who needs it? Sounds wonderful. Yet the Government is facing a wave of protests from patients and GPs. Most of this is down to arrogance: the "we know best" attitude that characterises not just much of the medical profession but Whitehall as well. Take the broken promise about compulsion. At first, two years ago, ministers said that people would be allowed to opt out of the electronic system. Then, this year, in an abrupt change of policy and a Big Brotherish assumption that the national pooling of information was more important than your right to privacy, it said that patients would be allowed to opt out only if they could prove that it would cause them "substantial and unwarranted distress" to be included. Thankfully, that decision was overturned this week and the Department of Health said anyone can ask to keep his or her medical records off the register after all. You have to ask, mind; consent will be implied if you do not. A further safeguard is promised, if you are on the register: you will be able to nominate specific information to be placed in a "sealed envelope" that will be opened only with your consent or in urgent circumstances. So far, so reassuring. So why won"t I be on the so-called Spine, this record of 50 million patients? Because I do not trust the security. Some 250,000 health staff will have access to your details, at varied levels, with individual access codes. Social workers, health managers, private medical firms and researchers will be given access too. How careful will they be with the information? What to a doctor or statistician is one lady"s banal decision to have an abortion in 2006 might to that woman be her most personal and delicate secret, and perhaps it might even be a secret to her husband too. Now imagine that woman was called Madonna (I am making this up, obviously) and weeks after the abortion she adopted an African baby " that information would be worth tens of thousands of pounds to some journalists. Now imagine that you are a nurse coming to the end of a six-month contract and about to be sent packing back home to the Philippines or Malawi. You are on triage at A&E, logging patients on arrival. You are using one of the hundreds of spare log-ons for the thousands of temporary staff whom the NHS employs daily. And you will have access to the entire database; A&E is the sort of place that has to have access, because people arrive unconscious or confused. Now imagine the temptation to sell that information about Madonna. You will be back home with enough money to buy the village by the time it appears in the papers. . . I have no doubt that at some point we shall all have electronic medical records. I would prefer them to be in my hands, with a smart card I carry if I choose, giving access to people I select, and to NHS emergency staff if I am unconscious or incapacitated. I"ll take the risk of mislaying it. Now that would really be putting power in the hands of the patients. But until the Government can at least answer detailed questions about exactly how its proposed system will work, I cannot think why anyone would want every spit and cough of their personal medical details made available to hundreds of thousands of people, and more. I, for one, would prefer to remain spineless."
NHS records pilots set to run (21 Dec 2006)
IT Week
http://www.itweek.co.uk/computing/news/2171358/nhs-records-pilots-set-run
"The first pilots of the national electronic health records system will go ahead in the spring, against a backdrop of compromises over patients" security concerns. The control of access to centrally-held information has been an ongoing issue for the £6bn National Programme for NHS IT (NPfIT). Login to the database is controlled by a high-security smartcard and only clinicians with a "legitimate relationship" will be able to see health data. But concerns remain over patient control of their information. Following a report from an independent taskforce, patients will now be able to check, and potentially veto, the data being uploaded to the central data spine. Those not actively opting out will be considered to have consented. NHS IT director general Richard Granger, who is responsible for the technology programme, says security concerns must not be allowed to undermine the improvement of patient care. "Concerns about data security may be marshalled by an active lobby of healthy sceptics to the detriment of the ill, and avoidable fatalities will result," he said. The debate highlights continuing communications issues between clinical groups and the central programme. The British Medical Association says a lack of early consultation with doctors is at the root of the confidentiality concerns. . ."
Headed for the rocks (21 Dec 2006)
The Guardian
http://www.guardian.co.uk/comment/story/0,,1976589,00.html
"The NHS's ill-starred computer project is in the news again. After polls showed that most doctors and patients oppose a compulsory national database of medical records, health minister Lord Warner produced a report on Monday and promised an opt-out. But don't break out the champagne yet. The report was cleverly spun; hidden in an appendix is confirmation that you can opt out of the Summary Care Record, but not the Detailed Care Record. The first is merely a synopsis for emergency care. It will have your current prescriptions, and will say, for example, whether you are diabetic. But ministers are not offering an easy opt-out from the second - the database replacing your current GP and hospital records. They plan to "upload" your GP data over the next year or two to a regional hosting centre run by a government contractor. The data will initially remain under your GP's nominal control but, after hospital records have been uploaded too, the chief medical officer will be the custodian of the whole lot. Your "electronic health record" will be used for many purposes, from cost control through audit to research. So the Home Office plans to use health data to help predict which children are likely to offend (despite a recent report to the information commissioner that collecting large amounts of data on children without their parents' consent will probably break human rights law). Yet confidentiality is often vital for care. . . The NHS computer project also has grave safety and performance problems. Moving patient records from the hospital or surgery to remote computer centres means that network failures cause havoc. What's more, the NHS computer system is showing all the classic symptoms of turning into a software project disaster, with changing specifications, slipping deadlines and soaring costs. The NHS must not be dependent on it. The convoy is heading for the rocks, and perhaps only one man can alter its course. Gordon Brown will have to decide soon whether to scrap the central database and build safe systems that will work. If he calls it wrong then - as with Blair and Iraq - it may well be the decision for which he is remembered."
BMA may seek NHS records system boycott (22 Dec 2006)
The Register
http://www.theregister.co.uk/2006/12/22/bma_nhs_record_systems_boycott_call/
"Doctors will be advised to refuse to use the NHS's computer system unless the Department of Health (DoH) changes its mind on behaviour which the British Medical Association says is unlawful. The DoH has refused to allow a large number of patients to opt out of its controversial computerised patient records system, which is still in development. The BMA says that that refusal is unlawful and could result in a boycott of the system by GPs. "We believe this particular suggestion by the DoH is unlawful and certainly it's outwith our understanding of the Data Protection Act," said Dr Richard Vautry, the BMA's negotiator on IT issues and a member of its GP committee. "If they insist on that position, which we think is untenable, then it would mean that we would be obliged to advise practices not to get involved in putting any information into the summary care record," Vautry told OUT-LAW. The system depends on GPs inputting the information and would be likely to collapse if GPs refused to carry out that task. "I'm sure practices would be very unwilling to do so because they would feel that it would put them in a very legally indefensible position," said Vautry. The DoH did not respond to a request for comment before publication. The controversy stems from a letter sent by the DoH to a large number of people who asked to opt out of the system. The Department told them that they could not opt out unless they could show 'substantial and unwarranted distress' would be caused by being in the system. The BMA says that the Department had no right to make that judgment. . ."
Time to go public (27 Dec 2006)
The Guardian (Leader)
http://www.guardian.co.uk/commentisfree/story/0,,1978859,00.html
"Privacy is one of those concepts which are easier to understand than define. A human life of any quality relies on a reasonable expectation of privacy. Yet modern technology - whether deployed by corporations, individuals, media or the state - offers unlimited scope for intrusion into private lives. . . With official databases so easily penetrated it is reasonable to ask searching questions about the drive in government to centralise digital information about our lives. Ministers talk sweet reason in making the case for ID cards and national NHS records. But they must know that such systems are always open to abuse. CCTV cameras on the streets may offer reassurance and help fight crime. But how relaxed would people be if, as happened in recent experiments, cameras were augmented by microphones to monitor street conversations? The debate over these and associated issues has been slow to get off the ground, but is now gathering pace. Many people feel increasingly anxious about the potential loss of civil liberties and it would be ill-advised for governments to dismiss such concerns. . ."
Patient Concern: Database a threat to patient confidentiality (15 Jan 2007)
Politics.co.uk
"A patients' campaign group has called on medical authorities to unite against plans to create a single government database. Ministers believe allowing government departments to share information will make public services more efficient. But Joyce Robins, co-director of Patient Concern, said: "The announcement of plans for a national database accessible by any government department couldn"t come at a worse time. "It will fuel the public"s fear that confidentiality is meaningless in respect of their medical condition and sabotage patients" trust in their doctors" ability to protect their privacy." The group is concerned the commitment to privacy in the NHS's integrated IT system will be overridden by the new database. "Not only the information commissioner but the health service regulatory bodies and medical royal colleges should be seriously worried and unite to oppose the threat to patient confidentiality," said Ms Robins.
A Vision of HAL (16 Jan 2007)
The Times
http://www.timesonline.co.uk/article/0,,542-2548779,00.html
"Joined-up government needs joined-up computers. "I know I"ve made some very poor decisions recently," HAL admits at a critical point in 2001: A Space Odyssey. "But I can give you my complete assurance that my work will be back to normal. I"ve still got the greatest enthusiasm and confidence in the mission. And I want to help you." The original spacefaring supercomputer could have been articulating the Government"s position on its own supercomputer projects. Disastrous errors have been made with the specification, procurement and installation of costly public sector IT systems. But Tony Blair insisted yesterday that he would press ahead with them nonetheless " and require them to pool personal information on citizens much more efficiently " because he believed it would enhance the delivery of public services. . . The scheme launched yesterday is aimed at lowering some of the barriers to information-sharing set up by the Data Protection Act 1998. Mr Blair has said it will only involve the creation of the new combined database so feared by civil liberties activists if a series of "citizens" panels" consent to the idea. It would be naive to suppose that the plan will not entail some erosion of personal privacy: easier citizen access to government necessarily means easier government access to citizens. But in all advanced democracies certain individual liberties are sacrificed for the sake of collective security. If executed efficiently and transparently, this project could deepen that social compact rather than threaten it.