I had intended to write this blog about differing attitudes towards giving away your personal data, how we trade our data as an asset for services such as Facebook or Linkedin. Whilst that remains high up on my to-do list, which is rapidly growing, I feel there is a more important issue at the moment that requires my immediate attention. One of which is the story of care.data.
Consider for a minute how blissfully unaware most people are of how their data can be used, as I was before a morning chat with Gareth over coffee about care.data last week. He highlighted to me that the NHS doesn’t have a particularly brilliant track record with data security (BBC, Telegraph) and that it should concern us all that they’re going to put all of our medical records in one place. The fact remains though that despite all of this, the NHS is still far more trusted than any private organisation.
It was clear to see that he was worried, what if there was an attack, what if every medical record in the UK was up for grabs on a USB drive, or what if the government wants to sell that data to businesses. Now in there is a whole myriad of ethical concerns, Mike Hodgkinson (Independent) and Alice Bell (Guardian) have written about it, it even made the front page of The Guardian (and notably not The Sun) yesterday.
This sparks many concerns for me, firstly the blatant disregard for the Data Protection Act. Principal 2 states that “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.” When your doctor inputted data about you and your medical conditions it was purely for the betterment of medical care. Care.data at its core could be judged as compatible with that purpose but selling that data on is not. It’s not why the data was collected, we weren’t told, it’s not legal.
The way that care.data plans to escape this is through ‘pseudonymised’ data (please see below). This removes key attributes effectively making it anonymous and therefore exempt from the DPA. Of course this is not fool proof, here’s for betting that if Tesco wanted to buy that database they could piece it back together. The fact is that if somebody wants to un-anonymise this data they will. Say you have quadruplets, that’s four people with exactly the same D.O.B (which I imagine is a field they would leave in the ‘pseudonymised’ data.) That’s four people with the same D.O.B that are geographically close to each other that are easy to identify, this data will never be truly anonymous no matter what is done to it; also staggeringly there is no information on how they will make this data anonymous or how they will protect it!
The final nail in the coffin though is the ‘opt-out’ procedure. To avoid yourself being added to this database you must call your GP and ask them to make a note on your medical file. That doesn’t seem like the most elegant solution to me, what are the chances some get missed and added anyway. In terms of legality silence isn’t agreeing, and to share this data in the way they plan to requires explicit consent as is it not why it was collected. Consider organ donation, you have to opt-in & it wouldn’t be okay any other way, this should be the same.
There is much more to be discussed on this topic, I haven’t gone into the many positive points about this program but it needs to be slowed down or stopped all together to make sure it’s being done properly, ethically and not simply as an attempt to monetise an NHS asset that has no rightful place on the open market.
As always thoughts and opinions to @TheDataIQ or in the comments below, thanks for reading.
When pseudonymisation techniques are consistently applied, the same pseudonym is provided for individual patients across different data sets and over time. This allows the linking of data sets and other information which is not available if the PID is removed completely. To effectively pseudonymise data the following actions must be taken:
• Pseudonyms to be used in place of NHS Numbers and other fields must be of the same length and formatted on output to ensure readability. For example, in order to replace NHS Numbers in existing report formats, then the output pseudonym should generally be of the same field length, but not of the same characters; i.e. 5L7 TWX 619Z. Letters should be used within thepseudonym for an NHS number to avoid confusion with original