Given this background, the US experience caused us to stop and reexamine the overall pattern, which entailed looking at the ultimate repository and beneficiaries of the large quantities of information that the Information Management and Technology Strategy sets out to gather. We had still not received the HES data definitions that the government had promised in January, so these were now obtained otherwise.
This led to the shocking discovery that the categorical assurances which we had received about the HES data were completely false. The records in this database contain the full postcode, date of birth and sex [25]. So with a few exceptions (such as twins living together, and students in colleges) the patients are easily identifiable and the episodes are linkable. In fact, it is unclear what their value would have been otherwise, as one of their avowed functions is to assess hospital readmission rates.
This contributed to an impression that the Department of Health has for some time worked to create a set of central databases with details of every episode of care in the country. If this is the case, then no doubt knowing that it would be controversial, they have tried to do it by stealth.
This impression is not dispelled by ministerial assurances. An MP had set down the following parliamentary question about the Clearing service, the central system for settling health care payments between purchasers and providers, and which also skims off the HES data for central government [21]:
To ask the Secretary of State for Health, ... on what basis (contractor's) employees or managers will have access to personal data?
The government replied [38]:
Their managers and employees are contractually bound to maintain the confidentiality of data passing through the Clearing Service, and will have no access to it.
This is intrinsically implausible to a computer security person (surely the system administrators will have access?), and when we obtained a copy of the Clearing system documentation we found that according to its security policy, staff with `a direct operational functional requirement' would have access to personal health information, while access to information that had been `de-identified' (i.e., with the name and address removed but with the postcode and date of birth still presumably present ``shall be available to all Users for healthcare business purposes, subject to receipt by the Contractor in writing of rules imposed by the Data Protection Registry''.
So it appears that our initial fears were well founded. In addition to the Clearing and HES systems mentioned above, there are databases in existence for prescriptions and planned for community care and data collected from general practice. Meanwhile, the government states that matching of official data will be allowed by officials investigating welfare fraud. Is it reasonable to hope that access will be denied to police, customs, tax officials, and indeed every official who can plead a `need to know'?