next up previous
Next: What Should be Done? Up: Remarks on the Caldicott Previous: Introduction

Problem Systems

The NHS's information management and technology (`IM&T') strategy has caused many problems for patient privacy, which spurred the medical profession into protest during 1995 and 1996. The strategy had been justified in public on the grounds that it would enable a hospital doctor treating a patient admitted unconscious to locate and access the patient's medical records [6]. However, no such system was built or even planned. Instead, the strategy revealed itself as consisting of the following data collection systems.

  1. The NHS-wide Clearing service centralises all secondary care payments, which used to be handled locally. It also provides information to health authorities on referral patterns, readmission rates and the like -- although similar services were already available from commercial firms who work with de-identified data. However, Clearing holds a fully identifiable record of each `contract data set' which includes not just the patient's name, address, diagnosis and treatment but also information such as HIV status, even where this is irrelevant to the treatment. This was felt by the medical profession to be an invasion of privacy [11]. In addition, the costs of the Clearing service have become so high that patient care has had to be cut to pay for them [5]. Also objectionable is the main other function of Clearing -- to feed information to:
  2. HES, the Hospital Episode Statistics database, contains information on all secondary care episodes in the UK, and as noted above it identifies patients by date of birth and postcode. According to Caldicott, it is used for a wide range of central management purposes, including trend monitoring, the support of ministers in Parliament, and the provision of data for research and for health sector businesses. This information is provided without the knowledge or consent of the great majority of patients; it is thus clearly unethical and in some cases illegal. However, in the view of the Caldicott committee, the information flow is justified, and the identifier -- the combination of postcode and date of birth -- must be retained.
  3. The NHS number and the Tracing Service. The NHS is allocating each actual or potential patient a number which can be looked up via the tracing service (previously called the administrative registers). There have been significant teething problems, with millions of pounds wasted on systems that do not work [3].

    If the NHS Executive can get it to work, the service will be the only database to contain up-to-date information on the whereabouts of every man, woman and child in the country. The access arrangements appear to assume probity on the part of all those with legitimate access; unfortunately this is unlikely to be the case. There will be a huge incentive for large numbers of potential malefactors, ranging from private detectives through organised criminals to foreign intelligence agencies, to acquire access, whether by technical means or (more likely) by corrupting staff; and the number of staff who have access and are thus a target for corruption is in the hundreds of thousands. The data that will thus be obtained will provide a history of each patient's associations with healthcare providers, including (for example) relationships with outpatient STD and psychiatric clinics. Even if the security measures work (and we don't believe they will) such data will still become widely visible throughout the NHS.

  4. Data collection from GPs. The standard GP contract includes a capitation element plus additional payments for services such as immunisation, screening, contraception, and minor surgery. The processing of claims for these `items of service' has recently been computerised, and this has made large quantities of personal health information available to the centre. When the BMA objected, the response of the NHS Executive's medical director was that these claims did not contain personal health data [16] -- a curious view given that the claim forms contain the names of women and girls receiving contraceptive treatment!

    There were also some unpredicted side-effects. For example, under-age girls seeking contraception often give false names, and these passed through the old manual system without problems. The new computerised system rejects them: if the GP cannot supply an accurate name she does not get paid.

  5. The Prescription Pricing Authority pays pharmacists, and has recently acquired a role in the detection of fraud and drug abuse. It supplies identifiable data to approved researchers (these are approved by its medical director rather than by any process involving patient consent), to the Drug Research Unit, and to the Fraud Unit. We understand that it also gives the Home Office access to its database. This led to objections from the BMA that it might be abused for tracing illegal immigrants. (Health authorities already supply data on migrants to the Office of National Statistics, according to Caldicott.)
  6. Disease Registers. There are separate registers for a number of expensive chronic diseases, particularly diabetes and HIV/AIDS (information on which is collected by the Public Health Laboratory Service at Colindale). HIV data is collected directly from GUM clinics and from charities who receive funds for caring for victims; in both cases, patients are identified by postcode and date of birth, and also by the Soundex code of their surname. (The AIDS charities were not even informed that this would enable their patients to be identified.) In addition, results of CD4 tests are collected in fully identifiable form. This is one of the cases where Caldicott suggests using less personal information -- by replacing the patient's name with an encrypted NHS number. The question of whether or not lab reports will still be matched to other, identifiable, returns is ducked.

    Further registers are planned for heart disease, stroke, etc., so the development of diabetes registers and HIV data collection may be a significant precedent. Although nominally designed to monitor the quality of patient care, these registers have become entangled in missions such as cost control. For example, there are growing objections to some diabetes registers' use of identifiable patient data. On the continent, data for such purposes are de-identified before processing [10] so the intrusive and unethical aspects of the current approach are clearly unnecessary.

  7. The NHS wide network is meant to connect all these systems together. It is expensive (£1,500 per annum for an account, or about 10 times market prices, and 1 p per kilobyte for normal traffic, or about 100 times market price) and obsolete (being based on X.400 rather than on the SMTP protocol that has prevailed in the marketplace). There are also safety and privacy problems: for example, the previous government resisted pressure to protect the safety and privacy of clinical messages using digital signature and encryption mechanisms, and insisted that if these were used then copies of the keys must be available to GCHQ. The recent change of government has not ameliorated the pressure for government access to encryption keys, despite the fact that a policeman armed with a warrant can always obtain the plaintext directly from the GP's surgery and/or hospital. These price and privacy problems led many hospitals and GPs to boycott the network [4].
  8. Health authorities have computer systems that enable them to collate all the expense claims submitted on behalf of a single individual, whether for hospital care through Clearing, for drugs through the PPA, or whatever. This procedure, known as `drill down', creates a shadow patient record that is outside the control of the patient and of the clinical professionals responsible for his care. The predictable effect of `drill down' systems in the USA (where they originated) has been to cause discrimination against patients with expensive conditions [15] and to create intrusive pressures on patients from employers and insurers for lifestyle changes [12]. Local aggregation of data, such as drill-down, appears to have been ignored by Caldicott.

The Caldicott list of data flows is not exhaustive, and new examples surface regularly. Recently, the writer received a complaint from a doctor injured in a road traffic accident. She received a letter from the National Road Traffic Accident Claims Centre in Northampton, asking for information about her accident, including whether she was claiming personal injury compensation, and for information about the lorry driver concerned. The director claimed to be acting for the hospital under the Road Traffic Act 1988, and seemed to have received this information from the hospital. The victim was outraged that the hospital released her details to a third party, including her name and address, the fact she required medical treatment and where the treatment took place, without her informed consent. In this case, hospitals appear to have been directed by the Department of Health to outsource accident claims, without consultation and without due consideration being given to the ethical aspects.

One can describe the essence of the privacy problem in terms of aggregation of data. The likelihood that unauthorised use will be made of information is a function of its value and the number of people who have access to it; and building large databases increases both of these risk factors simultaneously. Put simply, we can live with the occasional disclosures that result from the record access enjoyed by GPs' secretarial staff, but we would not accept a situation in which the staff of all 36,000 GPs had access to the records of all 56,000,000 patients in the UK. Yet it is precisely this broad access to huge datasets that is being deliberately engineered in many of the systems being constructed in the NHS, and which the Caldicott committee failed to identify and challenge.

next up previous
Next: What Should be Done? Up: Remarks on the Caldicott Previous: Introduction

Ross Anderson
Thu Jun 25 15:00:54 BST 1998