By September 1995, the BMA had become convinced that the NHS Executive either would not or could not draw up an acceptable security policy, and so on the 7th October the BMA Council asked me to do this. My goal was not to rewrite the traditional ethics of the profession, but to translate them into a concise set of rules that would provide a clear and unambiguous basis of communication between patients, clinicians and policymakers on the one hand, and computer system builders on the other.
There already existed two well understood security policy models to provide some inspiration. The first is the Bell-LaPadula policy, used by the world's armed forces, under which an official cleared to `secret' should be able to see documents classified `secret' and below, but nothing at `top secret' or above. In other words, information only flows upwards, and never downwards, through a hierarchy of security levels [9]. The second is the Clark-Wilson policy that was developed to formalise good practice in banking and bookkeeping systems, and which lays down a number of rules to enforce controls such as dual control and audit [19]. But neither of these would do for clinical information, the basic principle of which is expressed by the General Medical Council [31] as:
Patients have a right to expect that you will not pass on any personal information which you learn in the course of your professional duties, unless they agree.
Thus our goal is patient control of data access, rather than an access hierarchy that reflects an organisational command structure. It is privacy, that empowers the patient, rather than confidentiality, that empowers the organisation. This distinction is already familiar to medical ethicists: in English law, the privacy of medical records is founded on the rights of the patient while the confidentiality of social work records is based on the rights of the local authority that employs the social worker [24]. However, it was less familiar in the computer security world, as previous security models (including both Bell-LaPadula and Clark-Wilson) had been driven by organisational rather than privacy concerns.
So how could privacy --- the principle of patient control --- be encapsulated in a compact set of rules that would be easily understood by patients and clinicians, but sufficiently precise for system builders?
The BMA also commissioned guidelines. The idea was that the policy would be normative --- it would state where we should be in a few years' time --- while the guidelines would tell the working doctor how to protect her patients (and herself) from the immediate threats. One might think of the policy as the long-term treatment plan, and the guidelines as a bandage to stop the bleeding.
Developing the policy was a fascinating experience. The main primary sources used to elucidate the GMC position were the books by Somerville on medical ethics [72], and by Darley, Griew, McLoughlin and Williams on clinical confidentiality [24]. These provided the background material on what problems arise in practice, and how the clinical professions expect them to be dealt with. The pioneering study of electronic patient records by Griew and Currell [30] was also useful; it showed how complex it is to build a policy model for a record containing components to which different combinations of clinicians would have access, and motivated the search for a simpler framework.
The key idea was to assume that each record would have a unique access policy. That is, we would treat a lifetime's medical history as an accumulation of records, each of which was completely accessible to a the same set of users. Thus the general record might be available to everyone in a practice or care team, while a note on a treatment for depression might be open only to the doctor who treated it (and to the patient). This greatly simplifies things, and has the virtue of reflecting actual clinical practice.
By early November 1995, a first draft of the policy was circulated, and was significantly refined by a number of discussions. Among the most helpful were presentations to the BMA's IT and Ethics committees; we also shared the early drafts with software suppliers so that any practical objections could be raised, and with the NHS Executive, whose contribution at the time was negligible. These meetings took place during November and December 1995.
The final versions of the policy and guidelines were written over the New Year holiday and shipped in early January 1996 [5] [6]. The core of the policy is contained in nine principles, which are appended. A period of public consultation ensued, of which this workshop is the logical culmination.