During 1995-96, it became clear that a number of NHS databases that were under construction or already in use held health information about identifiable patients without their knowledge or consent. For example, the Hospital Episode Sstatistics (HES) system at the Department of Health contains records of all hospital treatments, in which patients are identified by their date of birth and postcode. This combination is sufficient to identify some 98% of the UK population (the rest are mostly students, prisoners, military personnel and twins).
Professional organisations, led by the BMA, objected that this identification was both unethical and unnecessary; the statistics which these systems were supposed to provide (such as referral patterns and readmission rates) are also supplied by private sector health informatics companies who use properly de-identified data. For example, data collected by private firms to monitor hospital performance statistics uses a patient number which only the hospital trust can link to the patient's name; age data is restricted to year of birth and address to postcode sector. This is enough to identify age cohorts and deprivation index, but not enough to identify individuals.
The Department of Health's response was to set up the Caldicott committee to review all flows of personal health information other than for patient care, research and statutory notification. The committee, whose membership was heavily weighted with NHS managers, found that all the information flows it identified were for justifiable purposes and concluded that the flows were justified (although in some cases it argued that less data should be used).
The meat of the committee's recommendations was that in most cases where personal health information is used outside the context of immediate care, the patient's name and address should be replaced by the NHS number. However, this provides little anonymity as the new NHS tracing service enables NHS staff to find out the name and address corresponding to a number and vice versa (we will discuss this in detail below). Caldicott was also emphatic that both date of birth and postcode should be retained `to reduce the risk of error to an acceptable level' (4.6.4). This is a curious argument, as the NHS number already contains a check digit, as bank accounts do; if further protection against error were felt necessary, then one would expect a competent system designer to use an error correction code or cryptographic authentication methods. The retention of postcode and date of birth will mean that most patients will continue to be eaily identifiable in the records used by HES and many other systems.
The proposals for the NHS Tracing Service give rise to grave concern. This system will be the first database to contain up-to-date information on the whereabouts of every man, woman and child in the country. (Existing databases, such as those run by the DVLA or the National Insurance system, do not cover the whole population and typically have many out-of-date addresses.) The proposed security measures are unconvincing, as the wide uptake of the NHS number envisaged by Caldicott will mean that large numbers of healthcare professionals will need daily access in order to do their jobs. On past experience it is likely that some NHS staff will be corrupted or simply misled into providing information, and as a result this database will become open to people such as private detectives, stalkers, sex abusers and even foreign intelligence agencies.
In addition, the data flows endorsed by Caldicott appear to be ultra vires in a number of cases, such as where the content of records is covered by the more stringent confidentiality provisions applying to sexually transmitted diseases, human fertility & embryology and mental health. The proposals for implementating Caldicott are thus inadequate, even from the very basic level of ensuring that healthcare providers comply with the law. From the viewpoint of medical ethics, they are even less satisfactory. We understand that professional associations have put the Department on notice about this. Interested parties should ensure that their views are heard by the Secretary of State as policy in this area is developed.
In the rest of this note we describe some of the systems that pose a problem for patient privacy. We then point out some serious problems with the proposed implementation of the Caldicott committee's recommendations. Finally we draw some conclusions.