January 2014

Your Private Medical Record May Be At Risk From March 2014

NHS Care Data

Update [19th Feb 2014]: NHS Care Data has been postponed for at least 6 months - huzzah! I will keep an ear to the ground and update as further information is released.

In March the NHS is implementing their care data project, whereby everyone in the UK’s medical records will be uploaded from their GP’s computer system to a central system. This will be the first time everyone’s medical records have been collected in one place - currently they are held only in your GP surgery and your named GP is personally responsible for the security of your data.

The potential benefits are massive for public health if it can give legitimate researchers easier access to lots of medical records. If it goes to plan, this should accelerate the process of medical research.

Personally I agree with the goals of care data. However, I believe the communication to the public has been abysmal and I don’t have confidence in the security of the implementation of the project.

How much have you heard about care data? Have you have received the leaflet “Better information means better care” via bulk mail (not personally addressed)?

Update: It’s February 19th - 9 days before March - and we still haven’t received this leaflet. It’s fortunate that I’ve even heard about NHS care data

The Risks

My personal reservations, in summary, are as follows:

I do not believe the “anonymisation” employed will be effective. There are numerous examples of anonymised data being de-anonymised by correlation against other data sources.
It’s not clear precisely which researchers will have access to the data. I want to know whether pharmaceutical and insurance companies could have access, for example.
I believe a central database of all UK citizens’ medical records will be an extremely high-value target for hackers.
I don’t believe any organisation currently has the capability to keep this data secure from a well funded hacking team (Not convinced? Read this…)

Poor Information

There are reassurances that our data will be "anonymised" and held "securely" but the detail is lacking or confusing. Take the following passage, for example:

Your date of birth, full postcode, NHS Number and gender rather than your name will be used to link your records in a secure system, managed by the HSCIC [Health and Social Care Information Centre].

I have no idea why this is written - if anything, my date of birth, gender and address are **more **identifiable than my name. I estimate there are tens of companies which know my date of birth and address and could derive my identity. I’m completely baffled.

Decide Now

If you are happy for your records to be exported in March, you can just do nothing and it will happen automatically.

If you don’t want this to happen, you can download a template letter from medConfidential and send it to your GP. You might also want to tell your friends and family to make an informed decision too.

NHS Care Data

The Risks

Poor Information

Decide Now

Further Reading