Examples of aggregation in NHS systems

The aggregation of personal health information may come about in a variety of ways, some doubtless well meaning and others driven by nonclinical pressures. Examples in current and proposed NHS systems include:

• the proposed NHS Clearing Service for in-patient contract data will contain information on hospital treatment of patients throughout the country. Requests by the BMA to review the functional specification of this system have been dismissed with the assertion that this information is not in the public domain;

• the Administrative Registers contain sensitive information such as past registration for contraceptive services and relationships with mental health institutions;

• at least two systems have been developed that enable health authorities to link up item-of-service claims, prescriptions and contract data to create a `shadow' patient record outside clinical control [AIS95] [DL95];

The above systems have been commissioned despite agreement between the NHS Executive and the clinical unions that electronic patient records shall be at least as secure as paper records, and established guidelines of the GMSC/RCGP Joint Computer Group which state that no patient should be identifiable, other than to the general practitioner, from any data sent to an external organisation without the informed consent of the patient [JCG88].

A strategic goal of the NHSE's Information Management Group is an entirely shared electronic patient record; we understand that the collection of GP data is to be the driving force, and that GP systems will be interrogated by NHS systems. However these goals are in clear conflict with the ethical position of the BMA [Som93] as well as the Joint Computer Group guidelines mentioned above.

Patient consent for the sharing of personal health information with NHS administrators is not present; indeed, a survey shows that most patients are unwilling to share personal health information with them [Haw95]. That this information should be collected into large aggregates that are outside the control even of healthcare professionals is extremely dangerous; as the US experience has shown, the mere existence of such a potentially valuable resource will create strong political pressures for legitimised access by law enforcement agencies, insurance companies and others.

The response of the BMA includes this document. Its primary purpose is to help clinical professionals discharge their ethical and legal responsibilities by selecting suitable systems and operating them safely. It seeks to define what kind of systems may prudently be trusted to receive personal health information, and for that we shall build on the threat model developed in this section to develop a security policy for clinical information systems. This consists of a compact set of principles that if implemented properly will enforce patient consent effectively in communicating computer systems.