A quarter of all government databases, including NHS Detailed Care Records Service and NHS CRS Secondary Uses Service, are illegal and should be scrapped or redesigned, a major new report on government databases has claimed.

Serious concerns are also raised about the NHS Summary Care Record Service, and its potential for abuse, with an independent review of the project called for.

The report by the Joseph Rowntree Reform Trust says that more than half of Whitehall’s 46 databases and systems have significant problems with privacy or effectiveness, and could fall foul of a legal challenge.

Database State says “Britain is out of line out of line with other developed countries, where records on sensitive matters like healthcare and social services are held locally. In Britain, data is increasingly centralised, and shared between health and social services, the police, schools, local government and the taxman.”

In addition, the report warns that the “benefits claimed for data sharing are often illusory”, saying sharing can harm the vulnerable through discriminisation and stigmatisation.

It recommends that sensitive personal information should normally only be collected or shared for strictly defined purposes, “and in almost all cases, sensitive data should be kept on local rather than national systems”.

The report says that 11 of the 46 biggest schemes fall into the “red light” category, and should be immediately scrapped or redesigned. It says “red light” projects such as NHS CRS and SUS projects are both fundamentally flawed and clearly breach European data protection and rights laws.

It says of detailed care records: “The NHS Detailed Care Record, which will hold GP and hospital records in remote servers controlled by the government, but to which many care providers can add their own comments, wikipedia-style, without proper control or accountability…”

Other “red light” government projects which it urges to be scrapped or rethought include: the National DNA Database; the National ID card register; and the Contactpoint child database.

The NHS Summary Care Record project, meanwhile, is described as an “amber light”, meaning the database has significant problems, and may be unlawful.

The report says the NHS SCR “will ‘initially’ hold information such as allergies and current prescriptions, although some in the Department of Health appear to want to develop it into a full electronic health record that will be available nationally.”

The report notes that in Scotland, where the SCR project has been completed, “there has already been an abuse case in which celebrities had their records accessed by a doctor who is now facing charges”.

A Department of Health spokesperson said: "It is simply wrong to claim that the Summary Care Record and other aspects of the National Programme for IT are unlawful. This report is full of basic errors and below the standards usually expected for a Rowntree report."

The spokesperson: "Neither patient consent nor confidentiality are being overridden. The aim of the National Programme for IT is to provide information to doctors and nurses which will save lives and improve the quality of care. Central to it is patient consent and the right of patients to opt out."

The DH spokesperson: "The report’s comments on the Secondary Uses Service are also ill informed and inaccurate. We recently consulted widely on this specifically to ensure that patient consent and confidentiality are protected and that the public is aware of uses that any data is put to."

The study, by members of the Foundation for Information Policy Research, including Ross Anderson, a noted Cambridge University professor and information security specialist. It says Britain is now the most invasive surveillance state and the worst at protecting privacy of any western democracy.

A further 29 databases earn an "amber light", meaning they have significant problems including being possibly illegal, and needing to be shrunk or split, or be amended to allow individuals the right to opt out. The amber light group includes the NHS summary care record, the national childhood obesity database, the national pupil database, and the automatic number-plate recognition system.

Just six out of the 46 databases assessed are given a “green light by the report, meaning that its privacy intrusions have “have a proper legal basis and are proportionate and necessary in a democratic society”.

The authors estimate that £16bn a year is being spent on public sector IT, with a further £105bn of expenditure planned for the next five years. The report notes that 30% of projects fail.

In the future the report says that the procurement and development of new database systems should be subject to much greater public scrutiny and openness. A shift to medium-sized rather than national systems is also urged.

The report concludes: “There should never again be a government IT project – merely projects for business change that may be supported by IT. Computer companies must never again drive policy.”


Database State report