BMJ 2014;348:g1624 doi: 10.1136/bmj.g1624 (Published 18 February 2014)
Page 1 of 3
News
NEWS New patient database could undermine trust in NHS, risk analysis concludes Ingrid Torjesen London
The centralisation of medical records in the care.data national database has the potential to undermine trust among NHS patients in England, prompting them to withhold information from their clinicians and compromising their care, the NHS’s own risk analysis of the programme has concluded.
The system could also be vulnerable to hackers, the analysis says, because pseudonymised data available to “approved groups of users” such as care commissioners and health researchers could be combined with other datasets to “re-identify patients maliciously.” Under the care.data programme England’s Health and Social Care Information Centre will bring together health and social care from primary and secondary care for the first time. The centre will use patient identifiers, such as their NHS number, date of birth, postcode, and sex, to link data from different healthcare settings, and then these identifiers will be stripped out.
The centre will publish some anonymous or aggregated data itself, and pseudonymised data will be available to “approved groups of users,” including commissioners and researchers. Identifiable personal confidential data could be disclosed without patient consent only in exceptional circumstances where there is an overriding public interest, such as an outbreak of a new disease or a civil emergency. Medical bodies and patients’ groups have raised concerns about the security of the system, and last week the Royal College of General Practitioners called for its planned roll out to be slowed down until a “crisis of confidence” in the plans, which had not been properly communicated to the public and GPs, had been averted.1 Now a privacy impact assessment undertaken by the Health and Social Care Information Centre has echoed many of these concerns.2 The assessment concludes, “The extraction of personal confidential data from providers without consent carries the risk that patients may lose trust in the confidential nature of the health service. This risk is twofold: firstly patients will not receive optimal healthcare if they withhold information from the clinicians that are treating them; and secondly, that this loss of trust degrades the quality of data for care.data and other secondary users of NHS data.” The document adds that there are also “threats associated with ‘cyberspace,’ such as hackers attempting to access the data illegally.” Furthermore, “the analysts granted access to these pseudonymised flows could potentially re-identify patients For personal use only: See rights and reprints http://www.bmj.com/permissions
maliciously by combining the pseudonymised data with other available datasets (a technique known as a jigsaw attack), such an attack would be illegal and would be subject to sanction by the Information Commissioner’s Office.”
The privacy impact assessment says that personal confidential health data have been used for many years at a local level for planning services, audit, and research and that there have been incidents of local data breaches. “Local processing can be difficult to monitor and audit, and the likelihood of an individual being identifiable when processing takes place locally is higher than when data are processed centrally (e.g. recognising the name of a neighbour),” the document argues. However, to mitigate against the potential risks, the NHS Constitution gives patients the right to object to their personal confidential data leaving their general practice or from being disclosed to “approved groups” by the Health and Social Care Information Centre, the document says.
Leaflets with information about care.data, entitled “Better Information Means Better Care,” were distributed to households throughout January. It advised patients to contact their general practice if they wanted to opt out.
However, a YouGov survey of more than 1400 people this month, commissioned by the Medical Protection Society, found that two thirds (67%) did not recall receiving the leaflet and that 45% did not understand care.data from what they had read or heard. This follows a Medical Protection Society survey of more than 600 GPs in January in which 80% said they did not believe that they had a good understanding of how patient data would be used in the care.data system. Like the Royal College of General Practitioners, the BMA supports the principle of using anonymised data to plan and improve the quality of NHS care but believes that the public information campaign on care.data has been inadequate. Chaand Nagpaul, chairman of the BMA’s General Practitioners Committee, said, “GPs across the country are telling us that large numbers of their patients have not received any information and therefore remain completely unaware that their data will be uploaded, while others remain worried about who will have access to it and what it will be used for. “The public awareness campaign has clearly not worked, and today we call on the government to ensure public trust in the system by properly informing the public about care.data before the currently planned data extracts commence—and to produce evidence this has been achieved prior to uploads taking place. Subscribe: http://www.bmj.com/subscribe
BMJ 2014;348:g1624 doi: 10.1136/bmj.g1624 (Published 18 February 2014)
Page 2 of 3
NEWS
As a result we will be having urgent discussions with NHS England about what it can do to address the situation to improve patient awareness, so that patients are able to make a fully informed choice.”
1
bmj.com Feature: The NHS’s care.data scheme: what are the risks to privacy? (BMJ 2014;348:g1547, doi:10.1136/bmj.g1547)
© BMJ Publishing Group Ltd 2014
For personal use only: See rights and reprints http://www.bmj.com/permissions
2
Iacobucci G. Government must do more to explain benefits of centralised database. BMJ 2014;348:g1566. NHS England. Privacy impact assessment: care.data. Jan 2014. www.england.nhs.uk/ wp-content/uploads/2014/01/pia-care-data.pdf.
Cite this as: BMJ 2014;348:g1624
Subscribe: http://www.bmj.com/subscribe
BMJ 2014;348:g1624 doi: 10.1136/bmj.g1624 (Published 18 February 2014)
Page 3 of 3
NEWS
Figure
For personal use only: See rights and reprints http://www.bmj.com/permissions
Subscribe: http://www.bmj.com/subscribe
Page 1 of 3
News
NEWS New patient database could undermine trust in NHS, risk analysis concludes Ingrid Torjesen London
The centralisation of medical records in the care.data national database has the potential to undermine trust among NHS patients in England, prompting them to withhold information from their clinicians and compromising their care, the NHS’s own risk analysis of the programme has concluded.
The system could also be vulnerable to hackers, the analysis says, because pseudonymised data available to “approved groups of users” such as care commissioners and health researchers could be combined with other datasets to “re-identify patients maliciously.” Under the care.data programme England’s Health and Social Care Information Centre will bring together health and social care from primary and secondary care for the first time. The centre will use patient identifiers, such as their NHS number, date of birth, postcode, and sex, to link data from different healthcare settings, and then these identifiers will be stripped out.
The centre will publish some anonymous or aggregated data itself, and pseudonymised data will be available to “approved groups of users,” including commissioners and researchers. Identifiable personal confidential data could be disclosed without patient consent only in exceptional circumstances where there is an overriding public interest, such as an outbreak of a new disease or a civil emergency. Medical bodies and patients’ groups have raised concerns about the security of the system, and last week the Royal College of General Practitioners called for its planned roll out to be slowed down until a “crisis of confidence” in the plans, which had not been properly communicated to the public and GPs, had been averted.1 Now a privacy impact assessment undertaken by the Health and Social Care Information Centre has echoed many of these concerns.2 The assessment concludes, “The extraction of personal confidential data from providers without consent carries the risk that patients may lose trust in the confidential nature of the health service. This risk is twofold: firstly patients will not receive optimal healthcare if they withhold information from the clinicians that are treating them; and secondly, that this loss of trust degrades the quality of data for care.data and other secondary users of NHS data.” The document adds that there are also “threats associated with ‘cyberspace,’ such as hackers attempting to access the data illegally.” Furthermore, “the analysts granted access to these pseudonymised flows could potentially re-identify patients For personal use only: See rights and reprints http://www.bmj.com/permissions
maliciously by combining the pseudonymised data with other available datasets (a technique known as a jigsaw attack), such an attack would be illegal and would be subject to sanction by the Information Commissioner’s Office.”
The privacy impact assessment says that personal confidential health data have been used for many years at a local level for planning services, audit, and research and that there have been incidents of local data breaches. “Local processing can be difficult to monitor and audit, and the likelihood of an individual being identifiable when processing takes place locally is higher than when data are processed centrally (e.g. recognising the name of a neighbour),” the document argues. However, to mitigate against the potential risks, the NHS Constitution gives patients the right to object to their personal confidential data leaving their general practice or from being disclosed to “approved groups” by the Health and Social Care Information Centre, the document says.
Leaflets with information about care.data, entitled “Better Information Means Better Care,” were distributed to households throughout January. It advised patients to contact their general practice if they wanted to opt out.
However, a YouGov survey of more than 1400 people this month, commissioned by the Medical Protection Society, found that two thirds (67%) did not recall receiving the leaflet and that 45% did not understand care.data from what they had read or heard. This follows a Medical Protection Society survey of more than 600 GPs in January in which 80% said they did not believe that they had a good understanding of how patient data would be used in the care.data system. Like the Royal College of General Practitioners, the BMA supports the principle of using anonymised data to plan and improve the quality of NHS care but believes that the public information campaign on care.data has been inadequate. Chaand Nagpaul, chairman of the BMA’s General Practitioners Committee, said, “GPs across the country are telling us that large numbers of their patients have not received any information and therefore remain completely unaware that their data will be uploaded, while others remain worried about who will have access to it and what it will be used for. “The public awareness campaign has clearly not worked, and today we call on the government to ensure public trust in the system by properly informing the public about care.data before the currently planned data extracts commence—and to produce evidence this has been achieved prior to uploads taking place. Subscribe: http://www.bmj.com/subscribe
BMJ 2014;348:g1624 doi: 10.1136/bmj.g1624 (Published 18 February 2014)
Page 2 of 3
NEWS
As a result we will be having urgent discussions with NHS England about what it can do to address the situation to improve patient awareness, so that patients are able to make a fully informed choice.”
1
bmj.com Feature: The NHS’s care.data scheme: what are the risks to privacy? (BMJ 2014;348:g1547, doi:10.1136/bmj.g1547)
© BMJ Publishing Group Ltd 2014
For personal use only: See rights and reprints http://www.bmj.com/permissions
2
Iacobucci G. Government must do more to explain benefits of centralised database. BMJ 2014;348:g1566. NHS England. Privacy impact assessment: care.data. Jan 2014. www.england.nhs.uk/ wp-content/uploads/2014/01/pia-care-data.pdf.
Cite this as: BMJ 2014;348:g1624
Subscribe: http://www.bmj.com/subscribe
BMJ 2014;348:g1624 doi: 10.1136/bmj.g1624 (Published 18 February 2014)
Page 3 of 3
NEWS
Figure
For personal use only: See rights and reprints http://www.bmj.com/permissions
Subscribe: http://www.bmj.com/subscribe
