next up previous
Next: Linkable After All! Up: An Update on the Previous: A Lesson from

Could it Happen Here?

The standard response of NHS officials on being told of information abuses in the United States is `it couldn't happen here'. Yet the US trip focussed our attention on the threat from the construction of large databases of personal health information. There had already been signs that all was not well.

An internal presentation by the NHS Executive to the effect that there should be a unified electronic patient record, shared by everyone in the NHS, had already caused concern --- to the extent that we had confronted senior officials on the 31st January and asked whether the real goal of the IM&T strategy was to construct a series of centralised databases, each covering a different aspect of health care but which would together contain essentially all personal health information on every NHS patient --- in effect, nationalising the country's medical records using contract data as the Trojan Horse for the project.

This was stoutly denied. Officials categorically assured us that the abstracts of the contract data that were kept centrally were not only de-identified, but also unlinkable --- separate episodes concerning the same patient could not be correlated. This was claimed to be a property of the HES data formats. We accepted these assurances and asked for a copy of the HES data specifications; we were promised a copy (which never turned up). Incidentally, the claim that central databases contain only episode data is still being repeated by senior officials [49].

The next stimulus came in February 1996 from an HIV data collection project. This was presented as an attempt to improve planning for HIV sufferers, who at present can self-refer to any hospital in the UK rather than having to go through their GP. As a result, officials suspected that the 18,000 registered sufferers represented only about 12,000 actual patients, and wanted to know if budgets could be cut. A form was sent out to all GPs and genitourinary clinics demanding details of all patients receiving treatment [46]. In addition to clinical information, this demanded that the patient be identified by date of birth, postcode and the `Soundex' code of their surnamegif; the instructions for generating a Soundex code have the curious final line `Note: it is very helpful if you can give the initial of the first name as well'.

This information was being chased up, and handled, by employees of district health authorities, rather than being sent directly to the Public Health Laboratory Service. The development of regional databases is also mentioned in the protocol, but without detail. When these concerns were made public, a consultant epidemiologist at the laboratory claimed that ``Somebody who does not know what the Soundex code is would have no possibility of guessing the identity'' [37] --- hardly reassuring given that the Soundex system is public and that the patient's name and data of birth are present on the form!

Meanwhile, it was pointed out that HIV status was already encoded in the contract minimum data set, as were codes for other sexually transmitted diseases, abortions and fertility treatment [34].

The next stimulus was in March 1996 when a study of the NHS Executive's IM&T strategy commissioned by the BMA's IT Committee reported that

The changes to the flows and management of health information will, when completed, represent the most fundamental and challenging changes to the practice of medicine ever [57].

next up previous
Next: Linkable After All! Up: An Update on the Previous: A Lesson from

Ross Anderson
Tue Jun 25 08:31:53 BST 1996