We were hoping to publish shorter blog postings, in an effort to boost the readability and popularity of Spy Blog, however...
An email correspondent "Dave" has sent us a copy of an email from Michael Walker, Director of Digital Information & Health Policy NHS Connecting for Health which tries, but fails, to re-assure him (and us) about the confidentiality of the new, massively expensive National Health Care Records Service (NCRS) centralised medical records system which relies on the controversial new and expensive NHS "Data Spine", the National Programme for IT
"I am already having severe problems preventing people accessing my medical records without my consent or knowlege, I have had my records photocopied without my consent (there was no 'public interest' in doing so), had my information accessed by people I was told would not be allowed access and when I asked for a list of all those that have accessed it, I was refused. My PCT (Primary Care Trust) also refuses to say if they hold identifiable medical data about me outside my current/previous practices."
Despite the promises by the NHS bureaucrats, "Dave" claims that he is being denied access to healthcare, unless he gives up his privacy and is forced to trust the new system:
"I am already not being allowed access to health care unless I let people other than my GP to have access to my identifiable medical information (even though the GMC, BMA, PIAG and NHS say I can prevent this and not be denied access to health care). It seems like there are far worse things to come (its not just GPs that will have access, it will be their admin staff, managers and several thousand others including NHS direct and social services).
Michael Walker caused some controversy by appearing to renage on confidentilaity promises given to the British Medical Association etc., in a letter to Dr. Paul Thornton as reported by the BBC in March 2005.
The email to "Dave":
From: Mike.Walker@dh.gsi.gov.uk To: "[Dave]" <[email address]> Subject: Recent Correspondence Date: Thu, 20 Jul 2006 12:17:06 +0100
Dear Mr [Dave]
I promised to contact you again when I had completed my enquiries. I am now responding to the e-mail that you sent to Richard Granger and Sir Ian Carruthers on 28 June 2006. I have also taken the opportunity to respond to the notes dated 17 June, 22 June, 27 June and 10 July 2006 that you sent, or which were copied to my colleague Phil Walker and your most recent note to Richard Granger.
In your correspondence you raised a number of specific issues which I have summarised and listed below:
- NHS confidentiality standards
- NHS staff behaviour
- Patient rights in respect of data processing
- NHS Care Records Service and other national databases
- Section 10, Data Protection Act 1998
I will deal with each in turn.
NHS Confidentiality Standards
I understand that you are unhappy with aspects of how the NHS has shared information about you and with you in the past. I am unable to comment on your particular case, but I think that it is important to say that the NHS recognises that confidentiality and privacy are fundamentally important to individuals and strives to provide a good service. The standards that are required to be followed in the NHS are set out in the Department of Health publication 'Confidentiality: NHS Code of Practice' which can be found at:
and again more succinctly in the NHS Care Record Guarantee published by Ministers in April 2005 and updated in July 2006, which can be found at:
The responsibility for complying with those aspects of the law that underpin these guidelines rests with local organisations and complaints about any failure to meet the standards must be addressed to local NHS organisations through the established complaints procedures. Information about the NHS complaints procedures can be found on the Department of Health web-site at
When the new NHS Care Records Service systems are fully deployed, there will be a range of new controls in place. Staff will only be able to access systems and records if they have a current secure smartcard and valid pass code - these are issued to staff by newly created Registration Authorities that verify the identity of staff and control the issue of smartcards. No one will be able to access your clinical records unless they are working in a team that is providing you with care. If there is information in your records that you do not want to be shared even within this controlled environment, you will be able to place extra restrictions on who can see it. There will be exceptional arrangements for overriding your restrictions in case you are unconscious or if a Court requires disclosure of the records, but in these exceptional circumstances the system will generate an alert to ensure that an appropriately senior member of staff is informed and can properly investigate the occurrence. You will be able to specify whether or not you want your identifiable clinical information to be shared between different organisations and your specification will be held within the system. A record will be kept of everyone who accesses information about you.
Just as with the National Identity Register audit trail, the audit trail implied by "A record will be kept of everyone who accesses information about you." is itself a huge potential source of privacy and security problems.
Who exactly has access to this audit trail ?
If your record is legitimately accessed by a clinician whose NHS identity can be cross referenced with other databases which show that they are specialists in say AIDS or cancer or obstetrics etc. then the audit trail itself is enough to betray confidential medical information to third parties , who may jump to the conclusion that you are likely to be suffering from a sexually transmitted disease or are pregnant etc.
There is also the question of your own access to the audit trail of your own National Health Care records.
Do you get to see this at all, and if so, are bits of it censored ?
Will all Police and Intelligence Agency accesses of your records be hidden from you, even if there is no criminal or intelligence investigation which might be still active ?
NHS Staff Behaviour
Local NHS organisations are responsible for the actions of their staff and there are local complaints procedures in place to investigate issues and concerns raised by patients. The Department of Health cannot intervene in these locally managed processes, but does provide guidelines on how they should operate. If local procedures fail to resolve a complaint, there is also the possibility of taking matters further, for example, to the:
Healthcare Commission at http://www.healthcarecommission.org.uk
General Medical Council at http://www.gmc-uk.org/
Health Ombudsman at http://www.ombudsman.org.uk/
Information Commissioner at http://www.ico.gov.uk
or through civil action in the Courts.
As staff are registered to use the new NHS Care Records Service systems they are required to sign a form binding them into explicit terms and conditions relating to patient confidentiality. Any abuse of systems or the data they contain is taken very seriously. The Department of Health has provided guidance to the NHS to the effect that any breach of confidentiality should be subject to disciplinary action and fully supports the Information Commissioner's proposals to seek increased penalties for unlawful use of data about individuals.
In other words, there are currently no criminal penalties which can be used against deliberate or negligent abuse of your NHS Care Records i.e. the biggest risk that an NHS data privacy abuser faces is possible internal disciplinary action.
That is not our idea of a "robust framework for protecting the rights of individuals" as quoted below.
Patient Rights in Respect of Data Processing
The instructions that you provided as an attachment to your e-mail of 17 June 2006 are both specific and clear, but are based erroneously on a presumption that as a patient you are able to instruct the NHS on what are essentially matters of general health service management or administration. No one will be denied access to healthcare, regardless of the decisions that they make in respect of how their information can be shared. However, I must make it clear that everyone receiving NHS care will need to have a record in the new IT systems. This is necessary to satisfy legal requirements, but is also important for patient safety and efficient management of services. These are explained in more detail below.
Our correspondent "Dave" finds the words
"However, I must make it clear that everyone receiving NHS care will need to have a record in the new IT systems."
worrying as this "seems to imply that patients must consent to having a NCR and having their data stored on a national database."
Your rights in respect of information that can identify you are provided by common law obligations of confidentiality, and by Data Protection and Human Rights legislation. Taken together, these provide a robust framework for protecting the rights of individuals but they do not prevent processing of information in all circumstances nor do they provide any general right for individuals to instruct or direct those who process information.
Doctors are required to keep records and the organisation that they work for, be it a GP Practice or a hospital Trust, is required to ensure that information is held securely and that confidential information is not shared inappropriately. However, patients do not have the right to determine the media on which the records are kept, eg on paper or in computer systems, the physical location of the information or who manages those systems. Your GP, therefore, does not have to seek your approval if he/she decides to keep records about you on a system supported by the local Primary Care Trust, or indeed a system supported by any other part of the health service. You can, however complain if your confidentiality is compromised.
How will you know if your confidentiality has been compromised ?
There is no legal duty to inform you of breaches in data security and privacy which may have affected your personal records e.g. a lost or stolen laptop computer or computer backup tape, or an insider caught selling NHS data to unauthorised third parties etc
In certain circumstances, it may be possible to persuade a clinician to record items of information on paper or on stand-alone systems, but many types of care will in future depend upon information being shared through these systems and for these it will never be possible to agree alternatives.
NHS Care Records Service and other National Databases
You have asked that no information about you should be kept on the NHS Care Record Service, but it will be necessary for some information to be held about everyone who is a patient of the NHS. In particular, contact details must be held to:
- satisfy legal requirements for registers of which patients are under the care of each GP Practice
- to ensure that each individual presenting for care is ordinarily resident in this country and therefore eligible for free care
- to ensure that information about one patient does not become confused with that of another patient, and
- to contact patients when they need to attend check-ups etc.
Similarly, if a patient is admitted into hospital it will be necessary to hold administrative details within local elements of the NHS Care Records Service in order to manage the period spent in hospital, assign the patient to a ward and a bed and to keep track of blood tests etc. Core components of care such as laboratory test and radiology results will only be available within the NHS Care Records Service systems. I am aware that you have indicated that you are not concerned about those treating you having access to information about you,
"Dave" is actually concerned about this as well.
but I must point out that in future this will be through the NHS Care Records Service - there will not be an alternative system available for local clinicians to use when providing NHS care.
Section 10 Request
In your correspondence, you indicated that you wished to request that all processing of data about you should cease. This request was made under the provisions of section 10 of the Data Protection Act 1998.
It is clear from your correspondence that you are concerned primarily about clinical information that is capable of identifying you from being shared outside of the organisation where you received care. There is currently only one database where such information is held - the NHS Wide Clearing Service - and I know that you have been in direct contact with the managers of that Service. The Department of Health has authorised deletion of all clinical information held within the Clearing Service and has directed that your record be flagged to prevent any further information being fed into this database from local systems.
The means by which information will be fed into the non-local element of the NHS Care Records service is still being developed but you will be provided with more information about this through a letter drop in advance of the systems being introduced in your area and informed who to contact to express your preferences at that time.
While your request to have clinical data removed has been complied with, it is necessary to continue to hold your contact details centrally. This is a requirement for all NHS patients. The Information Commissioner's office have advised that there need to be grounds of significant damage or
distress to provide a basis for requesting that processing of information should cease. I do not think that this has been demonstrated in respect of your contact details, but if you wish to offer evidence on this issue, I will ensure it receives appropriate consideration.
I hope that I have been able to respond to all of the issues and concerns that you have raised. It would help us to ensure that you receive timely responses to any future correspondence if it could be addressed to
Director of Digital Information & Health Policy
NHS Connecting for Health
"Dave" is not the only person concerned with the risky NHS medical records systems.
Dr. Ian Brown, an IT security expert, has also been trying to opt out of the scheme see "Please do not store my medical records in your leaky information systems"