A quarter of all government databases, including NHS Detailed Care Records Service and NHS CRS Secondary Uses Service, are illegal and should be scrapped or redesigned, a major new report on government databases has claimed.
Serious concerns are also raised about the NHS Summary Care Record Service, and its potential for abuse, with an independent review of the project called for.
The report by the Joseph Rowntree Reform Trust says that more than half of Whitehall's 46 databases and systems have significant problems with privacy or effectiveness, and could fall foul of a legal challenge.
Database State says “Britain is out of line out of line with other developed countries, where records on sensitive matters like healthcare and social services are held locally. In Britain, data is increasingly centralised, and shared between health and social services, the police, schools, local government and the taxman.”
In addition, the report warns that the “benefits claimed for data sharing are often illusory”, saying sharing can harm the vulnerable through discriminisation and stigmatisation.
It recommends that sensitive personal information should normally only be collected or shared for strictly defined purposes, “and in almost all cases, sensitive data should be kept on local rather than national systems”.
The report says that 11 of the 46 biggest schemes fall into the “red light” category, and should be immediately scrapped or redesigned. It says “red light” projects such as NHS CRS and SUS projects are both fundamentally flawed and clearly breach European data protection and rights laws.
It says of detailed care records: “The NHS Detailed Care Record, which will hold GP and hospital records in remote servers controlled by the government, but to which many care providers can add their own comments, wikipedia-style, without proper control or accountability…”
Other “red light” government projects which it urges to be scrapped or rethought include: the National DNA Database; the National ID card register; and the Contactpoint child database.
The NHS Summary Care Record project, meanwhile, is described as an “amber light”, meaning the database has significant problems, and may be unlawful.
The report says the NHS SCR “will ‘initially’ hold information such as allergies and current prescriptions, although some in the Department of Health appear to want to develop it into a full electronic health record that will be available nationally.”
The report notes that in Scotland, where the SCR project has been completed, “there has already been an abuse case in which celebrities had their records accessed by a doctor who is now facing charges”.
A Department of Health spokesperson said: "It is simply wrong to claim that the Summary Care Record and other aspects of the National Programme for IT are unlawful. This report is full of basic errors and below the standards usually expected for a Rowntree report."
The spokesperson: "Neither patient consent nor confidentiality are being overridden. The aim of the National Programme for IT is to provide information to doctors and nurses which will save lives and improve the quality of care. Central to it is patient consent and the right of patients to opt out."
The DH spokesperson: "The report's comments on the Secondary Uses Service are also ill informed and inaccurate. We recently consulted widely on this specifically to ensure that patient consent and confidentiality are protected and that the public is aware of uses that any data is put to."
The study, by members of the Foundation for Information Policy Research, including Ross Anderson, a noted Cambridge University professor and information security specialist. It says Britain is now the most invasive surveillance state and the worst at protecting privacy of any western democracy.
A further 29 databases earn an "amber light", meaning they have significant problems including being possibly illegal, and needing to be shrunk or split, or be amended to allow individuals the right to opt out. The amber light group includes the NHS summary care record, the national childhood obesity database, the national pupil database, and the automatic number-plate recognition system.
Just six out of the 46 databases assessed are given a “green light by the report, meaning that its privacy intrusions have “have a proper legal basis and are proportionate and necessary in a democratic society”.
The authors estimate that £16bn a year is being spent on public sector IT, with a further £105bn of expenditure planned for the next five years. The report notes that 30% of projects fail.
In the future the report says that the procurement and development of new database systems should be subject to much greater public scrutiny and openness. A shift to medium-sized rather than national systems is also urged.
The report concludes: “There should never again be a government IT project – merely projects for business change that may be supported by IT. Computer companies must never again drive policy.”
© 2009 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED.
Local data available on national databaseunknown 313 weeks ago
"And locally held data can be often seen as more "interesting" - the data of someone you know is more "interesting" to some, than that of a total stranger & that breach of confidence it very often more damaging a neighbour, ex partner, friend, family member etc etc"
Yes, with the new system both local and distant (and celebrity) data will be equally accesible, instead of just locally held data.
Have a look at the Land Registry's scheme to "Search the UK Land Registry database of houses sold in England and Wales since 2000." for the prices at which houses have been sold. It is a national scheme but apparently most searches are of houses close to the searcher's address. See
All data breaches occur at places that existunknown 313 weeks ago
"The view that data held by GPs is safe argument is something that always raises my eyebrows, in a somewhat Roger Moore way, where does the the bulk of long level data breaches occur? At GPs and Acute Trusts - despite the best endeavours of those concerned."
Er yes, possibly because we don't have the national database yet. Just wait, you will be gobsmacked at how much confidential health data comes out.
Neverunknown 323 weeks ago
No, a GP has never lost 25million records - because they don't hold 25millions records.
When was the last time a Practice lost ALL its data? Maybe a missing backup tape - thats happened more than once.
Not pointing a finger at GPs - however "low level" losses are often ignored in favour of "profile" losses - if one patients data is lost, then that can be as serious to that individual as the loss of xmillion pieces of data.
And locally held data can be often seen as more "interesting" - the data of someone you know is more "interesting" to some, than that of a total stranger & that breach of confidence it very often more damaging a neighbour, ex partner, friend, family member etc etc
Hardly Surprisingunknown 324 weeks ago
Given Ross Andersons colours were already pinned to the mast, the outcome of the report was hardly surprising. Lets not kid ourselves that its an impartial or objective report - it was never going to be that.
However, whilst some of the views in the report are extreme, it's certainly worth being aware of the issues, as these views are shared by a small, but growing, percentage of the population. These views should be at least considered when systems are designed or changed.
The "all data sharing is bad" motto presents some interesting issues. if you don't data share & something bad happens, then you get kicked. If you do share & something bad happens, then you get kicked. Its largely a no win situation.
The view that data held by GPs is safe argument is something that always raises my eyebrows, in a somewhat Roger Moore way, where does the the bulk of long level data breaches occur? At GPs and Acute Trusts - despite the best endeavours of those concerned.
Weak and wrongly pitched...unknown 327 weeks ago
This is a very weak report, written to promote an agenda rather than assessed properly to see if it fits that agenda.
Pretty clear what the report is advocating, yet the security and consent model in Detailed Care Record is vastly superior to what is their now and certainly superior to what General Practice systems can offer. My GP receptionist probably knows or can find out more about my health than I can ! - and all I want her to do is book me an appointment to see my GP.
Why didn't the Foundation do something positive like look at consent models / opt in versus opt out benefits and risks. Suppose that would have required some research outside of google and a nice traffic light system perhaps wouldn't fit the agenda...
Let's stop sticking our heads in the sand...unknown 327 weeks ago
Having read the full report's section on health, whether the review is impartial is irrelevant. It's purpose is to provoke wider debate. The report is a literature review conducted by a team, chaired by Ross Anderson, the methods for which are not explicit. It is entirely possible that only the negative view has been presented.
But then the Government's intentions are not clear in allowing businesses to create data centres with unencrypted health data attached to patient names. Would we be happy to allow them to sell the contents, as they do with many of their other databases? What evidence is there that this is a secure approach? What is the potential effect of abuse? What will prevent abuse and what evidence is there that the methods will be effective?
With the delayed implementation of the anonymisation service, it is an interesting contradiction that NHS staff will have electronically to sign a disclaimer in order to see all parts of the record whereas users of SUS will not. There is also no clarity as to how records from STI clinics, for example, will be kept anonymous, with potentially serious implications for public health.
Also there are reasonable questions to be answered about how the correctness of the data is to be ensured and whether the benefits of long-term storage, in this form, outweigh the costs.
I would suggest that it is reasonable to argue that the security model and potential for abuse of health data are open to question and that an appropriate debate ought to be initiated before we find out the hard way, that there are unpleasant consequences for all. We need to stop sticking our heads in the sand and to start properly researching these issues.
Curate's eggunknown 327 weeks ago
Have only read the Executive Summary - the good points of the report are that it shows the wide range of databases that are being collected, though it is clear from reading about the heath cases that it is not well-research at all, having a woeful idea about the 'Detailed Care Record'.
The recommendations about scrapping are just plain daft (especially given that they are based on such poor assessments); the others, however, are generally pretty good - except for the suggested change to OJEC procurement, as though that would stop governments launching silly 'IT projects'.
It is such a pity that Ross Anderson has such a bee in his bonnet about privacy and cannot see that it is not such an issue for nearly everyone else; he is right to raise the concerns, and makes many good points, only to ruin the presentation by making daft assertions from his hobby-horse.
Impartialityunknown 327 weeks ago
The Joseph Rowntree Trust is indeed a great organisation for which I have a lot of time and respect. But it's important to understand what they do and how they do it. Accourding to their website, they '.. fund political campaigns in the UK to promote democratic reform, civil liberties and social justice.' These are extremely worthy and laudable aims, and this report fits into that agenda. But that isn't the same as being impartial or objective.
But don't take my word for it: read the report and think about it.
Partialitydesperado 327 weeks ago
The Joseph Rowntree foundation may be impartial, but I heard the piece on Radio4 with Ross Anderson, and unusually I think the announcer did ask the right question, that there is a balance to be struck, and this report fails to do it.
The example was given of mothers being concerned that social services staff would take away their baby if they reported Post Natal Depression.
An understandable concern, but I can also envisage the scorn from certain parts of the media if a mother were to harm her baby, "the GP knew there was a problem, and the social workers did nothing".
I am not a fan of joining up information just because we can, or of SUS, or most of the activities under LSP control, but I do understand why it is important that local health and social care organisations work more smartly together to support care.
With many of the proposed NPfIT solutions delayed beyond reason, the clinical and care staff are trying to work with inperfect information, and I'd prefer that they were better integrated to care in particular for the young and the very elderly.
Does the report identify "local", because CfH divided the England into 5 Local Service Provider units, and that is certainly not local to my mind.