Fresh questions have been raised over the anonymity of de-identified patient data provided through the NHS secondary uses service for use in research trials.
In a letter published in the British Medical Journal, Dr Ian Brown of the Oxford Internet Institute says that NHS rules mean that supposedly anonymous patient data, provided for research purposes without patients’ explicit consent, can be "trivially" re-identified.
Dr Brown says that the policy presumption that anonymisation and pseudonymisation of data is sufficient protection means that patients are not fully informed or given a choice about how their medical records will be used. He argues that as a result they are misled about the risks to their privacy.
SUS is designed to enable patient data taken from NHS electronic medical records to be de-identified and used for research purposes.
SUS allows the use of the data for ‘health research’ through three different routes: with the explicit consent of the patient; by special permission from the National Information Governance Board (NIGB); and, crucially, if the information has been pseudonymised.
Under the pseudonymised route, SUS will supply data in which patients’ names and addresses have been replaced by their date of birth and postcode, says the letter. It adds that some data may also include the patient’s unique NHS Number, making identification even easier.
"As a postcode typically contains about 20 houses, almost all patients are easily identifiable by reference to these facts," Dr Brown says in the BMJ letter.
The letter is co-signed by Lindsey Brown, a researcher in public health ethics at Bristol University, and Professor Douwe Korff, a data protection specialist at London Metropolitan University.
Dr Brown and his colleagues argue that such weak privacy policies could be illegal under European data protection laws.
"Patients are not currently being adequately informed about possible secondary uses of their medical data for medical research."
Their letter comes after the Academy of Medical Sciences’ (AMS) called for a relaxation of the rules on accessing patient data. The AMS argues that easier access to sensitive patient data records will aid medical research.
However, in its full response to the government’s Information Revolution consultation, the BCS Chartered Institute for IT argued that patients should give consent to their data being used for secondary purposes, to promote transparency.
And the BCS Primary Healthcare Specialist Group recently issued guidance on the use of SUS data, after raising concerns about current practice.
The BMJ letter calls for greater transparency and clarity of policy on the limits of anonymisation and peudonymisation.
“While important, anonymity alone cannot be relied upon to protect the interests of participants," it says. "We suggest that when possible, providing people with choices about participation in research through consent remains the most appropriate mechanism to protect people’s privacy.”
Another letter in the same issue , Richard Turner, retired former director of public health at the Faculty of Public Health, argues too much emphasis has been put on the need to anonymise patient data for research purposes, and that this is disproportionate to the actual risks.
“I have had great difficulty in finding any reported incidences of data abuse at all, even where whole sets of patient records have ‘gone missing’," he writes.
“The NHS has the potential to be the biggest ‘record laboratory’ in the world, and I think this should be exploited to the benefit of the NHS and the population in general as much as possible.
"Hypothetical concerns completely unsupported by any evidence of harm having occured whatsoever should not be allowed to prevent this from happening.”