Privacy and Safety

From Nhs It Info


NPfIT wins a Big Brother Award (Sep 2004)

The British Journal of Healthcare Computing & Information Management

"Human-rights watchdog Privacy International (PI) announced the winners of its Big Brother Awards 2004 in July. It is the sixth year that the privacy group has run a competition to name those who have "done the most to devastate privacy and civil liberties in the UK". The Most Appalling Project accolade went to England's National Programme for IT in the NHS, for its national database of medical records and its continuance of plans to computerise medical records in a way that is both insecure and dangerous to patients' privacy. Issues involving patients' informed consent and overall control of the information in the records are currently of most concern."

Computer loophole hits hi-tech NHS trial (14 Nov 2004)

Sunday Times,,176-1358226,00.html

"Part of the trial for the government's multi-million-pound scheme to computerise the National Health Service has been halted over fears that patient confidentiality may be compromised. Medical staff in a pilot project for the "choose and book" appointments system - designed to speed up referrals to consultants - claim it gives any doctor access to any GP's patient's records and allows them to make changes. Confidentiality is just one problem detailed in a leaked memo by a project leader in the national programme for information technology (NPfIT) which outlines seven reasons why doctors have refused to use the system, even in trials. . . The leaked document informed trusts involved in the scheme that doctors in Barnsley had refused to use the system. Although clinicians had been given access from July, "no actual live bookings have taken place". The scheme was then temporarily halted. The memo details a wide range of problems. In addition to allowing any user to access a patient's records, the system does not keep sensitive details such as HIV and pregnancy terminations from being made available on the NHS's central computer."

Sources of Complexity in the Design of Healthcare Systems: Autonomy vs. Governance (10 Mar 2005)

Workshop on Complexity in Design and Engineering, University of Glasgow

". . . In both the UK and US there are national initiatives to introduce greater use of IT in clinical settings. The broad aims of the NPFit (UK) and PACIT (USA) programmes are similar. They aim to streamline data processing to cut costs and reduce clinical errors. For example, it is proposed that electronic prescribing of medicines will cut costs in paperwork and reduce prescribing errors which account for a large number of patient deaths (44,000 to 98,000 deaths caused by medical errors in the USA). Both schemes aim to introduce electronic patient records, again to cut costs of paper records and reduce errors from paperbased systems. Both systems also look to more clinical governance and audit of medical processes so that medical staff are more accountable for their actions. The UK initiative is already displaying the signs of a large project out of control with the projected costs of £6Bn rising to between £18Bn and £31Bn. The lack of user centred design is evident by a recent (BBC) poll showing 75% of family doctors are not certain that NPFit will ever meets its goals. The first stage of the electronic appointment systems has largely failed to meets its use targets. However, a smaller scale introduction of region-wide IT in the Wirral was more widely accepted with 90% of family surgeries and the vast number of patients accepting the system. Thus IT systems can succeed. This is important for our work, for in order to succeed, it requires a working IT health infrastructure. Furthermore the twin goals of cost and error reduction may be mutually incompatible. As Reason points out (Reason 1997) organisations have processes for productivity and safety but circumstances will arise, either through unsafe acts or latent system weaknesses, which lead to organisational failure. Safety protocols may be violated in the name of efficiency or sets of latent weaknesses will line up to cause an accident. Many individual errors are the result of cognitive under-specification (Reason 1990) of the user"s tasks. In our project we aim to over-specify and support clinical tasks by describing them in the situation calculus. This will provide a robust means of supporting decision making and ensuring that chances to decisions protocols remain valid. . ." [A. Taleb-Bendiab et al]

Doctor's notes (29 Mar 2005)

The Guardian,,1447062,00.html

"Electronic medical records for all UK patients are in the final stages of planning. . . . But electronic medical records will not just be open to your necessary healthcare staff. Pilot studies have shown instances where the Department of Work and Pensions has accessed medical records in respect of benefit payments."

NHS Confidentiality Consultation - FIPR Response (25 Jun 2005)


"The fundamental question is whether the Department of Health should have a database containing a fairly complete record of every hospital treatment in the UK, including not just the treatment code and the cost, but also the name and address of the patient. A secondary question is whether the Department of Health should have an accessible central record of all a patient's care relationships. . . FIPR believes that no one in central government - whether ministers, DoH officials or NHS central managers - should have access to identifiable health information on the whole UK population. This is backed up by studies showing that although patients trust their carers with medical information, the majority do not trust NHS administrators."

Confidentiality - the final betrayal (25 Jun 2005)

BMJ Careers

". . . The NHS National Programme for Information Technology (NpfIT) in England and Wales, now renamed as "Connecting for Health," has ordained that there will be an electronic patient record, and Scotland is not far behind. That record will not be in the form of a smartcard in the possession and control of the patient, but will be on a central database that will be shared among "the NHS family," albeit that blandishments over "need to know" are regularly issued. Initial ministerial promises that patients will be able to control what information is placed on what is known as "the spine" (information accessible to clinical staff outside the practice) are inexorably being undermined. Patients are authoritatively told that in an emergency it is essential that information is instantly available to wherever a patient may turn up; they seem to forget that Alexander Graham Bell"s invention was sufficient for this purpose during the whole of the 20th century. Until the potential consequences of this information incontinence are thought through, patients are initially attracted by it, perhaps forgetting that they developed their antibiotic rash after treatment for an embarrassing illness acquired during an extramarital adventure while on a business trip to Amsterdam. Once the genie of confidentiality is let out of the bottle it cannot be put back in, and the unintended consequence could well be that patients become reluctant to discuss the most intimate details of their health with their general practitioners. "There will be high security and audit trails," say the enthusiasts of electronic medical records, but I suggest that they are the equivalent of making your bank username and password potentially available to the entire clinical staff of what is the largest single employer in northern Europe"the NHS. In the United Kingdom we already have a flourishing business in identity theft. Am I being told that it will be impossible for a corrupt NHS employee to acquire the IT identity of another clinician? The first enquiry to be actively encouraged by unscrupulous investigative journalists will be for access to one Blair, Leo, dob 20 May 2000, address London SW1A 2AA, to see what childhood injections were administered. . ."

PCT safety culture needed to prevent errors (30 Sep 2005)

e-Health Insider Primary Care

"A lack of understanding about IT systems and a failure to establish a safety culture are to blame for the publication of confidential information about 92 patients by a primary care trust, according to an investigation into the error. Melton, Rutland and Harborough PCT accidentally included identifiable information on 92 patients in its board papers and sent the information out to 35 people including the local media. The details, including patients" names, addresses and telephone numbers and the reasons why they had called an out-of-hours centre, were also available on the PCT"s website for a short time. The 32 page report into the incident by the PCT includes recommendations that the PCT promotes a safety culture in the use of information, raises staff awareness of IT systems, policies and procedures and reviews the use of patient identifiable information. . . The report says that the out of hours software package used by the PCT, Adastra, was not able to provide the detailed information required by the board so the PCT downloaded the data for more detailed analysis using Excel software. The subsequent document produced by "manager A" and overseen by "director B" included graphs created in Excel and then cut and pasted into a Word document with embedded information on all the patients who had attended two out of hours centres on two bank holidays in May. The report adds: "Neither Director A or Manager B were aware of the presence of embedded data within these graphs or that patient identifiable data was present for the May Bank Holiday attendance." The report reveals that due to pressure of work Manager A had also breached PCT policy by taking the relevant information home using a USB memory stick, making changes to the document and emailing it back to Director A in the early hours of the morning. . ."

Thousands of children at risk after computer fault (26 Feb 2006)

The Observer,,1718325,00.html

"As many as 3,000 babies and toddlers may have gone without crucial vaccinations because a privatised NHS computer system has failed to monitor which children are due for jabs and whether they have received them. An Observer investigation has found that the child health information system, introduced last summer as part of the government's £7 billion IT programme, has derailed the country's entire vaccination programme, leaving health staff resorting to slips of paper to work out who needs immunising. Several women whose babies were stillborn have received letters asking them to take their babies for their first vaccinations. . . The problems began last summer, when primary care trusts across north London and Essex, covering some five million adults and children, switched over to a new system - Child Health Interim Applications (CHIA), run by BT. The system was supposed to work across different health districts, replacing one that for years had collected all the data of the immunisation of pre-school children. It was supposed to trigger an automatic response when a child was due to have a jab. . . But, according to the Health Protection Agency and others, it soon emerged that CHIA was not capable of producing the lists needed to record immunisation status of children. Nor was it capable of monitoring the health of the children, to show whether any suffered side-effects from vaccines. "

Focus: Anatomy of a £15bn gamble (16 Apr 2006)

Sunday Times,,2087-2136718.html

"The Nuffield Orthopaedic Centre was at the forefront of a multi-billion-pound revolution to modernise the entire computer system of the National Health Service " and the screens had suddenly frozen. Medical staff looked on in disbelief as they tried to retrieve lost records. . . Although the system was functioning again the next day, some patient files seemed to have disappeared completely. The trust was so alarmed that it sent a report to the National Patient Safety Agency, warning that it had posed a potential risk to patients."

Paradoxical access (May 2006)

Dr. Paul Thornton

"Patient records will be unavailable for care with consent but widely accessible to others contrary to the wishes of patients. . . Large numbers of patients who live close to the boundaries between clusters will find that their GP in one "cluster" is unable to share a detailed care record even with the patient's consultant in the local District General Hospital if it is in the adjacent "cluster". GP's may even be disconnected from cross boundary district nursing teams. . . The active, expressed dissent of the patient will be required to place limited restrictions on the access to information. The proposals do not reach the standard of dialogue required for "implied" consent that was set by the previous Information Commissioner."

When did we last see your data? (8 Jun 2006)

The Guardian,,1792102,00.html

"Last month, the Information Commissioner's Office (ICO), the state-funded watchdog for personal data, published a report, What Price Privacy?. The title's question was answered with a price list of public-sector data: £17.50 for the address of someone who is on the electoral register but has opted out of the freely available edited version; £150 to £200 for a vehicle record held by the Driver and Vehicle Licensing Agency; £500 for access to a criminal record. The private sector also leaks: £75 buys the address associated with a mobile phone number, and £750 will get the account details. . . Medical professionals are concerned about risks to data security caused by the creation of the NHS's Connecting for Health's Care Records Service. That will establish electronic patient records for everyone in England, accessible at any NHS site, and replace on-site computerised or paper patient records. Users log on using a "chip and pin" smart card and number. Access will be limited to those with a reason, and there will be an audit trail. Patients will be able to put sensitive information in an electronic "sealed envelope". Last week Lord Warner, the health minister responsible, said the overall programme is more than two years late - due partly to software problems, but also to disagreements over access to records. Of 787 doctors contacted recently by researcher Medix for the BBC, 44% disagreed that the proposals to maintain confidentiality of records were satisfactory, while 21% agreed. Among GPs, 57% disagreed and 13% agreed. Dr Richard Vautrey, a Leeds GP and member of the British Medical Association's GP committee, says the technical security seems state of the art. However, "the proposal is that there will be an assumption of consent that records can be shared", he says. Patients will have to opt out of sharing. And it is not clear who might see records, Vautrey says. "The patient may be happy for a consultant to have access, but not a social worker." But once data is on the national system, patients may be unable to stop access by other parts of government, he adds. That could damage the trust between patients and doctors. Patients might refuse to divulge data, or demand a second "private" record is created - just what the system was meant to prevent."

GPs and their families urged to boycott NHS 'spine' (20 Jun 2006)

e-Health insider Primary Care

"Last week"s local medical committees" conference voted in favour of a proposal to advise GPs to consider withdrawing from the spine after hearing about access to the personal demographics service (PDS) which holds demographic data on every patient in England. . . A total of 54% of representatives voted in favour of the proposal with 46% against despite a speech in defence of the PDS from Dr Gillian Braunold, national GP clinical lead for Connecting for Health and a GP in London."

Don't trust our data to NHS computers (22 Jun 2006)

Times Online,,8122-2236581,00.html

". . . If hackers could penetrate the Pentagon programs, the NHS database with its countless access points and numerous bona fide password holders will be easy pickings for hackers. It will also provide all the data that any government department should decide it must have so that, for example, an identity card database would be superfluous. And what happens when the system goes down, either for maintenance purposes or it crashes? No computer program is guaranteed crash-proof. I wouldn"t want my data to be unavailable when the worst happens to me. I would want it on hard copy. If the powers-that-be wanted a safe method of storing personal data, surely the smart-card system, whereby everyone had their own data on their own card kept in their purse or wallet, would be free from hackers and free from computer crashes."

NHS database? No one asked me! (7 Jul 2006)

The Register

"I was horrifed to discover that here was the government creating a database of everyones patient records, records which up until now I had thought were privy only to my doctor and a few others at local level. . . I wrote to Patricia Hewitt's office and demanded an explanation and got by return a snooty letter saying how everyone would benefit from having access to their medical notes countrywide and how I should be grateful the database is being formed. . . Let's hear the other side of this debacle, how the Public is not being ASKED if it WANTS this database - what do you think the average person would say if they knew the implications of some nasty neighbour who worked in the NHS getting to look at their records or some hacker publishing their records on the Net? How cheated do you think a rape victim will feel if everybody gets to know because someone accidentally, or deliberately makes the information public? How long will it be before we all start getting refused insurance with no explanation and then find our insurance companies have read our medical history?"

NHS trust uncovers password sharing risk to patient data (11 Jul 2006)

Computer Weekly

The UK's largest NHS trust has discovered endemic sharing of passwords and log-in identifications by staff, recording 70,000 cases of "inappropriate access" to systems, including medical records, in one month. The Leeds Teaching Hospitals NHS Trust said there was a "wholesale sharing and passing on of system log-in identifications and passwords" and it warned that uncontrolled access "presents a considerable risk to the security of patient data" and consequently puts the trust at risk. The Leeds trust is the largest in the UK and includes the biggest teaching hospital in Europe. It has a budget of £730m, employs 14,000 people across eight sites and treats about one million patients a year. A management paper to the trust's main board, dated 6 July, said that in one month alone "70,000 examples were detected of inappropriate access of IT systems by trust staff". The paper added, "This took the form of wholesale sharing and passing on of system log-in identifications and passwords. The system misuse was widespread across departments, sites and disciplines." Doctors said the sharing of codes which give access to NHS systems and medical records was an ingrained practice within the NHS. This culture was recognised as a threat to the confidentiality of medical records which are due to be uploaded from local systems to a national data spine under the NHS's National Programme for IT (NPfIT). Under the NPfIT, sensitive information on 50 million people in England is due to go online, although this has not happened yet. NHS managers can discipline staff after a breach has occurred - but they cannot stop it happening. . ."

Doctors attack NHS IT system: Patient confidentiality at risk, say concerned sawbones (26 Jul 2006)

The Register

"Doctors have spoken out against the controversial £12.4bn NHS IT system that is over budget and behind schedule, claiming that patient confidentiality is being put at risk by the system. Writing in the British Medical Journal, a series of doctors have said that it is unwise to put the medical records of the entire population on one computer. . . Meanwhile a report has discovered that NHS IT system security is being compromised because of poor or non-existent mobile device security. Carried out by Pointsec Mobile Technologies and the British Journal of Healthcare Computing and Information Management, the survey has found that two thirds of mobile data storage devices have inadequate security."

Call for national standards on remote access (22 Aug 2006)

e-Health Insider Primary Care

"GPs are calling for national standards on remote access to practice computer systems because of concerns that present methods could potentially put patient data at risk. Dr Paul Bromley, a GP in Leek, Staffordshire, and colleagues from the EMIS National User Group are unhappy that the current arrangements delegate decision-making to primary care trusts (PCTs) and argue that definitive national guidance is needed. Dr Bromley, who has developed a special interest in remote access over the last few years, says that for several years he used the solution offered by Cable and Wireless, and latterly BT, which secured the connection between the remote computer and NHSnet. He told EHI Primary Care: "It was only later, after somebody pointed it out to me, that I realised the virtual private network tunnel only went as far as the NHSnet connection, not all the way to our practice server and so could be intercepted form within NHSnet." . . . The issue of remote access was the responsibility of the NHS Information Authority. Since its demise, however, this has been delegated to PCTs. GPs say they are concerned that no-one at PCT level will have sufficient expertise in remote access security."

Connecting for Health: IT and Patient Safety (24 Oct 2006)

Patient Safety

"This meeting of the All-Party Parliamentary Group on Patient Safety aimed to discuss issues surrounding the Connecting for Health programme and to consider more broadly how IT solutions can best benefit NHS patients and practitioners.. . . Nigel Hawkes CBE, Health Editor of The Times stated that in principle the Connecting for Health programme is a positive step forward in providing safer patient care in the NHS. However, Mr Hawkes stressed that the Connecting for Health programme is currently largely incomplete and thus at present largely untested. He expressed concerns about system failures on the programme that have already happened in isolated areas and added that such failures could be disastrous if they occurred on a national scale. Mr Hawkes called for a greater provision of public information from the Government around the programme, so that patients fully understand how Connecting for Health will operate across the NHS. . . Dr Hamish Meldrum, Chairman of the General Practitioners Committee at British Medical Association, stressed that the introduction of IT systems to the NHS must be an evolutionary process and not thrust upon staff. From a GP's perspective, Dr Meldrum stated that Connecting for Health would in theory provide fast and reliable access to patients' medical records, which in turn will help inform clinical decisions. . ."

Warning over privacy of 50m patient files: Call for boycott of medical database accessible by up to 250,000 NHS staff (1 Nov 2006)

The Guardian,,1936403,00.html (Front page lead story)

Millions of personal medical records are to be uploaded regardless of patients' wishes to a central national database from where information can be made available to police and security services, the Guardian has learned. Details of mental illnesses, abortions, pregnancy, HIV status, drug-taking, or alcoholism may also be included, and there are no laws to prevent DNA profiles being added. The uploading is planned under Whitehall's bedevilled £12bn scheme to computerise the health service. After two years of confusion and delays, the system will start coming into effect in stages early next year. Though the government says the database will revolutionise management of the NHS, civil liberties critics are calling it "data rape" and are urging Britons to boycott it. The British Medical Association also has reservations. "We believe that the government should get the explicit permission of patients before transferring their information on to the central database," a spokeswoman said yesterday. And a Guardian inquiry has found a lack of safeguards against access to the records once they are on the Spine, the computer designed to collect details automatically from doctors and hospitals. The NHS initiative is the world's biggest civilian IT project. In the scheme, each person's cradle-to-grave medical records no longer remain in the confidential custody of their GP practice. Instead, up to 50m medical summaries will be loaded on the "Spine. The health department's IT agency has made it clear that the public will not be able to object to information being loaded on to the database: "Patients will have data uploaded ... Patients do not have the right to say the information cannot be held." Once the data is uploaded, the onus is on patients to speak out if they do not want their records seen by other people. If they do object, an on-screen "flag" will be added to their records. But any objection can be overridden "in the public interest". . .",,1936149,00.html (Full story: "From cradle to grave, your files available to a cast of thousands")

Spine-chilling (1 Nov 2006)

The Guardian (Leader),,1936254,00.html

"The most closely guarded of secrets are often medical. A history of depression, a sexually transmitted disease or a long-ago abortion may well be deeply personal matters which many people would wish to remain private. Likewise, anyone who has recovered from a drug problem or from a suicide attempt may dread nothing more than these facts about their past getting into the wrong hands. Sometimes the desire for privacy reflects disposition, sometimes the potential impact on work or on family. Whatever the grounds, there is a right to expect that the confidentiality of one's medical history should be respected.Which is why there are good causes for alarm in our reports today about the way in which such data is being transferred to electronic records. There is a cause for real doubt about whether medical privacy can continue to be guaranteed. The creation of a centralised "spine" of all English medical records is at the heart of the government's £12bn IT programme, Connecting for Health. Modernisation, if carried out properly, offers advantages over a paper-based system. Currently, if someone falls ill away from home, a doctor can be left treating them with one hand tied behind their back, until the sluggish paper-trail catches up. A well-run computerised system should allow records to be accessed wherever they were needed. In principle, it should be possible to devise the system in a way that couples these gains with stringent privacy safeguards. But that is not what is happening. For one thing, under the plans, non-medical authorities could sometimes access the data when this is judged in the public interest. For another, it remains unclear whether patients will be able to block sensitive facts about themselves from being put on the general database. A third worry is the lack of clear rules limiting the type of information held on the database. Reassurance is especially urgent because of the poor record of government IT in general, and the unhappy history of Connecting for Health, in particular. With 250,000 people having access to the spine, the records will be as good as public unless the technology carefully controls who sees what. The Information Commissioner's recent damning report on privacy revealed a flourishing trade by private investigators in snooping out personal information from supposedly secure systems. Until it can be shown that confidentiality can be guaranteed, patients will be understandably uncomfortable about entrusting the system with their records. The case for efficiency is strong, but not at any cost. Privacy matters too."

A national database is not essential' What health professionals say about the new NHS database (1 Nov 2006)

The Guardian,,1936174,00.html

"Paul Thornton, who has a website and runs a GP practice near Birmingham, wants the BMA to get counsel's opinion on the scheme. He says the Spine is dangerous and unnecessary. "A national database is not essential ... other mechanisms exist for the sharing of relevant information between directly involved health professionals ... without the need to leave a copy of the information on the nationally accessible database." This view is supported on practical grounds by Richard Fitton, a Derbyshire GP who has pioneered computer access by his patients to their own local records and was a member of the government's NHS IT advisory body. He told a Warwick University conference he disagreed with data being loaded on to a central system and preferred localised databases for patient care. He is an enthusiastic supporter of electronic record-sharing, with patient consent. But he says: "I've never liked uploading to the Spine - it's the wrong idea." . . . Richard Vautrey, who is a member of the BMA and the GP working parties on the subject, says "sealed envelopes" are probably unworkable, no agreement has been reached yet over the issue of explicit consent, and the data on the Spine could be attractive to the police. . ."

The woman falsely labelled alcoholic by the NHS (2 Nov 2006)

The Guardian,,1937302,00.html

"Helen Wilkinson was mistakenly labelled an alcoholic after a simple computer error by the NHS. An unknown official at a hospital was updating her medical records and inputted a wrong code. The mix-up meant she was recorded as having received treatment for alcoholism, instead of surgery. Ms Wilkinson, 40, was furious and began a campaign to have all information about her permanently removed from the hospital's databanks. But she ran into a problem: the NHS already keeps electronic records on everyone who receives treatment from the health service, whether they are seen by a GP or at a hospital. She succeeded in her campaign only because she took drastic action - she withdrew from the NHS altogether so that her records were deleted. Now she is refusing to be treated on the NHS ever again if her personal details are stored on an NHS computer. "I am putting myself at risk. I am not going back on a database if it kills me," she said. Her case highlights two problems which are likely to grow with the government's plan to create a national database for all patient medical records. Firstly, millions of patients will inevitably have mistakes in their computerised records which will in the future be read by more people than in the past. The government has not yet delivered on a promise that patients will be able to check their records on the internet for mistakes. Officials say that "there is no firm date yet". Secondly, there is an unresolved question of whether patients who refuse to go on to national databases will still be allowed to receive treatment. . ."

Ministers to put patients' details on central database despite objections (2 Nov 2006)

The Guardian,,1937012,00.html

"Health ministers vowed yesterday to press ahead with uploading millions of medical records on to a central NHS database, even if many people objected to their personal details being included. The Department of Health scorned a campaign, described in the Guardian yesterday, to force the government to abandon the scheme on the grounds that it could breach the confidentiality of personal information. . . But some doctors and security experts have cast doubt on whether sensitive personal data might be divulged to the police or stolen by computer hackers. Ross Anderson, professor of security engineering at Cambridge University, said: "If enough people boycott having centralised NHS records, with a bit of luck the service will be abandoned." The government said there was no question of backtracking. Lord Warner, the health minister, said: "Health professionals cannot treat patients and decide to keep no record of it. Those records are not the property of GPs. Other health professionals need to access them to provide safe treatment. In that context, we have no intention of moving away from implementing the electronic care record. But we will ensure there is a public information campaign so that people know what is happening." The department will start uploading information about patients in two "early adopter" areas of England in the spring. "We will go ahead on the basis of implicit consent ... People can then choose to opt out of the system, but we will counsel them that if they do so they might jeopardise their safety. They would be saying nobody could have access to the information without their informed consent - and that might be difficult after an accident." By opting out, people could not get their medical record removed from the national database. . ."

NHS plan for central patient database alarms doctors (21 Nov 2006)

The Guardian,,1953185,00.html

"A poll of doctors about the new £12bn computer system for the NHS shows growing unease about a potential threat to patients' rights. After answering questions by the medical pollsters Medix, the GPs and hospital doctors were invited to volunteer comments. Richard Johnson, a GP from Dalton-in-Furness, Cumbria, said: "I am extremely concerned that the public is unaware of the fact that their personal medical records may be uploaded to the national Spine [central database] without any real safeguard about who can access them. I believe such a move will destroy the concept of medical confidentiality and that patients will be unwilling to confide in their doctors and doctors may well be unwilling to record information given in confidence." Another GP said: "I feel we are being pressured into disclosures that would have been actionable by the GMC a few years ago." . . . The GPs were particularly critical of Choose and Book, which allows them to electronically book hospital appointments at a time convenient to their patients. The poll found half of GPs use the system for more than 40% of referrals. But among these regular users 90% say it increases the time taken to refer a patient to hospital and 70% think it is detrimental to patient care or makes no difference. One GP said: "Choose and Book is an unmitigated disaster. Patients want to be referred to a doctor I know, not a building from a brochure." . . ."

GPs revolt over patient files privacy (21 Nov 2006)

The Guardian,,1953212,00.html

"About 50% of family doctors are threatening to defy government instructions to automatically put patient records on a new national database because of fears that they will not be safe, a Guardian poll reveals today. It shows that GPs are expressing grave doubts about access to the "Spine" - an electronic warehouse being built to store information on about 50 million patients - and how information on it could be vulnerable to hackers, bribery and blackmail. . . Ministers have committed a large slice of the NHS's £12bn IT upgrade to developing the Spine. They acted on the assumption that doctors would provide the information without asking their patients' permission first. The new system has been constructed to upload information from GPs' computer systems automatically, without giving patients a say. But the poll found 51% of GPs are unwilling to allow this uploading without getting each patient's specific consent. Only 13% say they are willing to proceed without consent and the rest are unsure or lack enough information to comment. Asked to identify the three most important concerns about confidentiality, 62% of GPs and 56% of hospital doctors said they were worried about "outsiders hacking into the system"; 62% of GPs and 51% of hospital doctors similarly feared "access by public officials outside health or social care". Other big fears included "bribery or blackmail of people with access to the records" and concern about "clinicians not adhering to the rules". . ."

GPs threaten to snub NHS database (21 Nov 2006)

BBC News

"Half of all GPs will consider refusing to put patient records automatically on to a new national database in defiance of the government, a survey finds. The Guardian newspaper poll of 1,026 GPs and hospital doctors found many doubted the security of the new system. Four out of five thought the confidentiality of their patients' records would be at risk. The government hopes the new database will store medical information on about 50 million patients in England. The electronic warehouse, dubbed Spine, is part of the NHS's £12bn IT upgrade, which aims to link up 30,000 GPs to nearly 300 hospitals and give patients access to their personal health and care information. The Guardian poll found that while most GPs believed a national electronic record would bring clinical benefits to patients, 51% were unwilling to allow people's data to be uploaded without their permission. More than 60% said they feared the system would be vulnerable to hackers and unauthorised access by public officials from outside the NHS and social care. . ."

Children"s Databases: Safety and Privacy - A Report for the Information Commissioner (21 Nov 2006)

Foundation for Information Policy Research

". . .Conclusion: This is a critical point at the evolution of data protection law and practice in the UK. Britain has paid less attention to privacy than our continental partners; the weak implementation of European data-protection law and the poor resourcing of the Information Commissioner"s office are familiar enough complaints. At the same time, a number of centralising initiatives (from the NHS Care Records Service to the ID cards project) have combined to raise public disquiet about privacy. . . The children"s database systems will shortly be followed by other social-care systems, notably for older people and for the mentally ill. Data collection under the rubric of social care will leave few families in Britain untouched. Ultimately, if illegal systems are built, they will be challenged in the courts. If the Commissioner prevents that by regulatory action now, he may irritate the system owners in the short run " but will save much more anguish and expense later."

Doctors have 'very legitimate concerns' over NHT IT patient records say Lib Dems (22 Nov 2006)

"Commenting on a survey suggesting half of all family doctors could refuse to put patient records on a new national database because of fears they will not be safe, Liberal Democrat Health Spokesperson, John Pugh MP said: "These doctors have very legitimate concerns. The Government"s new computer system will enable private patient records to be uploaded and available to a number of agencies outside of the NHS without the patient being any the wiser. There is a danger the public interest exception may be used as convenient catch-all to justify any kind of snooping by a public body. Patients and doctors need to know how access to this highly personal information is to be controlled in practice, and how unnecessary intrusion into a very private sphere is to be identified and prevented. Without real clarity and meaningful assurances, the NHS IT system risks being yet another expensive bureaucratic mess that undermines civil liberties." In a letter to John Pugh, Richard Thomas, the Information Commissioner (16th November 2006) confirmed: "It is my understanding that a disclosure will not be made to an organisation beyond the NHS unless the patient consents, the law allows it; there is a court order or the disclosure is considered to be in the overriding public interest." . . ."

Work begins on merging Health and Social care records (24 Nov 2006)

The Register

"Work has begun on a social care equivalent of the care records guarantee for medical records, paving the way for merging health and social care records. The plans were disclosed as part of a debate at the annual Care Records Development Board meeting in London, yesterday. The work is still at a very eary stage, and no final decision has been taken as to whether or not a single record will be created. But the possibility of two services sharing data in this way illustrates exactly those concerns about patient privacy and confidentiality that have been raised by opponents of a centralised medical records database. The workshop - a group of forty or so patients, health professionals and other interested parties - was asked to debate the proposition that there should be a "single holistic record" of patient care, encompassing not just health records, but social care information. The idea, the session chair explained, is that information should meet the needs of the individual, rather than the other way around. It was during the ensuing debate that the news of the planned social care records guarantee emerged. The care records guarantee (pdf) sets out the rules that will govern the management of information in medical records when the NHS Care Records Service goes live next year. . . Many of those attending the workshop were concerned that sharing records would dilute the quality of care, and could compromise the quality of a patient's relationships with his or her carers. Some people might be reluctant to share information with their GPs if they thought social services would also have access to that information, one delegate suggested. . ."

CfH report confirms confidentiality risk (27 Nov 2006)

The Register

"Plans to upload medical records onto a central database - the so-called spine - will put patient confidentiality at risk, Connecting for Health (CfH) has been told by its own consultants. In its own risk analysis of the project, the agency responsible for centralising the country's medical records has acknowledged that GPs' concerns about patient confidentiality have merit, and that it would be safer to store records locally. According to Helen Wilkinson-Maker of The Big Opt Out, a campaign group opposed to the spine, the risk analysis was intended to consider two scenarios: a spine with and without "sealed envelopes", sections of the medical record marked by the patient as not to be shared. However, during the consultation with health professionals, civil servants, and patient representatives, a third scenario was put forward for analysis: that of locally held, digital medical records. This was found to present much lower risk of confidentiality breaches, according to the report. . . The consultants identified a conflict between patient safety and confidentiality: records with some details kept hidden were found to put patient safety at a greater risk than those with all the medical information in the clear. This is because the potential for error in diagnosis or treatment is much higher if all the facts are not known, the report says. Meanwhile, patient confidentiality is at its most secure when some information is not just sealed in a single envelope, but in a variety of envelopes, with data being stored locally, and therefore only being accessible locally. . ."

Local sealed envelopes 'probably safer' (28 Nov 2006)

e-Health Insider

"A risk analysis conducted for NHS Connecting for Health has concluded that patient care would probably be safer using locally held sealed envelopes rather than storing them on the NHS data spine. The recommendations in the internal document, written by risk management company Det Norske Veritas and delivered to CfH in September, would seem to cut across the Department of Health"s original vision that Detailed Care Records for every patient will be held on the spine, including sealed envelopes. EHI Primary Care understands that CfH"s current policy on sealed envelopes, as outlined by Professor Mike Pringle, co-GP clinical lead at GP engagement events across the country, is for a two tier system of "sensitive" and "extra sensitive" information for sealed envelopes with extra sensitive information not available outside the clinical team that created it. Dr Paul Thornton, a GP in Kingsbury, Warwickshire who is campaigning against the consent and confidentiality proposals for the NHS Care Records Service (NCRS), is publicising the report which he says highlights the problems of holding all patients" records on the spine. He said: "These confidentiality risks to health have been found to outweigh the benefits from automatic sharing of health information on a national database. The more that information is accessible by all health workers, the less likely it becomes that crucial information will be divulged to any one of us." The Det Norske Veritas consultants were originally asked by CfH to weigh up the relative risks of sealing information against a situation where sealed envelopes were not available. During the course of compiling the report a third possible approach, of sealed envelopes held locally, was included in the review and the conclusion was that it provided the lowest risk to patient safety and confidentiality. . ."

GPs fear flawed computer system (28 Nov 2006)


"A central database of patient records is proving expensive and potentially flawed, doctors in East Anglia are warning. An electronic system, called the Spine, is being set up to store the medical details of 50m patients across the country. But there are concerns about who will have access to it and whether it will be vulnerable to computer hackers. Half of family doctors in a recent survey said they would refuse to add their patients' records to it. Simon Lockett, secretary of Norfolk's Local Medical Committee of GPs, said: "There is no particular reason why the technology shouldn't ensure good confidentiality, but obviously human error is possible and I know some patients feel very strongly about confidentiality. Most of us feel the technology is possible and can probably be operated in a safe way, but I am sure it will cost an awful lot and may not happen at all." Geoff Reason, Eastern region head of health for public sector union Unison, said: "Our concerns are around the management of the project. The NHS has not got a completely brilliant record when it comes to implementing IT. There is a feeling they have tried to do too much at once and there are real concerns around privacy given the ease with which people might be able to hack into computers." Some patients in Norfolk have already written to their doctors to ask that their details are not added to the Spine."

Most patients reject NHS database in poll (30 Nov 2006)

The Guardian,,1960170,00.html

"A national campaign was launched last night to persuade people to refuse on privacy grounds to have their medical records uploaded to a national database. Guy Herbert, of the No2ID group, which is also campaigning against the introduction of identity cards, said: "We'd like to get up to a million people to contact their GPs." The campaigners, who are part-financed by the charitable Joseph Rowntree trust, released ICM poll findings commissioned by the trust which they said showed a majority of the population was hostile to Whitehall's plans. The figures show 53% of those questioned were either "strongly opposed" or "tended to oppose" the centrepiece of the Department of Health's £12bn NHS computerisation scheme. . . On the platform at last night's campaign launch in London was the former Conservative foreign secretary Sir Malcolm Rifkind. Although he and the Tories are not officially linked to the NHS data opt-out campaign, he spoke in support of opposition to identity cards, and to government databases in general. Sir Malcolm said: "The case for identity cards or other large databases must be based upon hard evidence." There had to be safeguards in place against potential abuse: "These criteria are not being met on either ID cards or other measures that restrict civil liberties." . . . The government claims there will be elaborate safeguards built into the system which will prevent unauthorised access to the intimate medical details of 50 million people. But Connecting for Health, the NHS agency responsible for the database programme, suffers another blow today. The latest issue of the GPs' magazine Pulse describes an internal health department report which found that so-called "sealed envelopes" - a key part of the planned data safeguards - were likely to be insecure. The department was hoping to deal with this problem by introducing a further layer of security - the "sealed and locked envelope", which could only be opened by the clinician who originally composed the file. But Dr Paul Thornton, a GP in Kingsbury, Warwickshire, who is one of the No campaigners, said this would not necessarily solve the problem.

GPs angered by call to reveal names of NHS database rebels (2 Dec 2006)

The Guardian,,1962282,00.html

"The Department of Health provoked uproar among doctors yesterday by asking GPs in England to send in correspondence from objectors who do not want their confidential medical records placed on the Spine, a national NHS database. Sir Liam Donaldson, the chief medical officer, said letters from patients who want to keep their private medical details out of the government's reach should be sent to Patricia Hewitt, the health secretary, for "full consideration"." . . . GPs wrote to the General Medical Council asking for a ruling on whether Sir Liam had broken the doctors' code of good practice by using his authority to encourage GPs to breach patient confidentiality without clinical justification. Sir Liam's letter complained about "misleading statements" in a Guardian article on November 1 that the police and other agencies might be able to access medical records once they had been loaded on to the national database. The article included a form of words patients could use to ask Ms Hewitt to refrain from uploading their records without their explicit consent. Sir Liam said patients were sending a similar request to GPs instead of the health secretary. He added: "If you do receive any such letters I would ask you to send them to the Department of Health so they may receive full consideration." Hamish Meldrum, chairman of the BMA's GPs' committee, said: "The chief medical officer's intervention is not helpful and GPs should not forward these letters. It is possible that some patients might think this is a breach of confidentiality in that a letter sent to their GP is forwarded to somebody else without their consent." Paul Cundy, the BMA's spokesman on IT, said: "For a GP to forward such letters without the explicit consent of the patient would be a gross breach of privacy. In effect it is asking GPs to spy on his behalf. He should retract immediately. . ."

Health officials reject requests to opt out of patient database (4 Dec 2006)

The Guardian,,1963222,00.html

"Patients who have complained about the idea of having their confidential medical records uploaded on a new centralised NHS database were sent letters over the weekend flatly rejecting their concerns. In an uncompromising statement, the Department of Health said nobody could have genuine grounds for claiming "substantial and unwarranted distress" as a result of having their intimate medical details included on a national computer system, known as the Spine. For that reason, "it will not agree to their request to stop the process of adding their information to the new NHS database". . . Last night doctors' leaders said the department's letter failed to take account of patients' rights under the Data Protection Act to refuse to allow information about them to be copied from one database to another. Paul Cundy, joint chairman of the IT committee set up by the British Medical Association and Royal College of GPs, said: "Patients do not have to prove severe distress. If patients decide they do not want their medical notes to go on the national system, they have an unalienable right under the Data Protection Act to refuse." He said the department asked any patient with "unique and personal reasons for claiming substantial and unwarranted distress" to write explaining them to its Whitehall customer service centre. But Dr Cundy said this put patients in a Catch-22 situation. They were being asked to reveal to officials the specific reasons why they did not want information revealed to officials."

The temptations in a digital society (4 Dec 2006)

Media Guardian,,1963047,00.html

"The government's plans to digitise the nation's personal records could be a goldmine for journalists willing to break the law. Details on millions of people will be compiled in databases accessed by thousands of officals. The bigger the system and the more people that use it, the less secure it becomes. Ross Anderson, professor of security engineering at Cambridge University, sees a parallel in banks' moves from branch-based computer systems to centralised ones in the mid-1980s. Previously, accessing account data meant nobbling someone within the target branch or group of branches; and at present, a patient's GP notes are normally only available at their surgery. "It makes it much easier to get information out," he says. Staff using NHS systems, which will eventually include summary health records for all patients in England, log on with a smartcard and Pin number, but Anderson says he knows of an emergency ward where a nurse logs on at the start of a shift and leaves it open, to save time. The Department for Education is planning an index including every child in England. The Association of Chief Police Officers is using numberplate recognition technology to record the details of all vehicles passing CCTV cameras . The National Identity Register, which will eventually hold data on all adults including fingerprints and facial scans, may also act as a key to other databases. The Home Office says it vets staff - misuse of National Identity Register data can lead to jail sentences of up to 10 years. The Information Commissioner has called for stronger penalties for misuse of other data. But for unscrupulous journalists and investigators, the pickings could be rich."

Patients win right to keep records off NHS computer (16 Dec 2006)

The Guardian (Front page story),,1973338,00.html

The government has bowed to privacy concerns about a new NHS computer system and conceded that patients should be allowed a veto on information about their medical history being passed from their GP to a national database. Following a Guardian campaign against the compulsory uploading of personal details to the system known as The Spine, Lord Warner, the health minister, will announce a plan that would allow individuals to review and correct their records and withhold them from the database. . . This month the Department of Health sent more than 1,300 curt letters rejecting requests from patients for their medical details to be kept off the national database. But ministers have changed their minds after advice from a taskforce on patient records headed by Harry Cayton, the department's "patient tsar". Under his scheme, GPs would ask every patient to give their explicit consent for a summary of their record to be put on the national database. They would be given a few weeks to review the summary and call for corrections or amendments to be made before they consented to the upload. In a key departure from the previous position, the taskforce said: "Some patients may ask for their summary care record not to be shared or uploaded at all." Lord Warner said it was not yet possible to guarantee a right of veto. Some doctors were concerned that patients might be putting themselves at risk by refusing access to records that could save their lives in an emergency. . . But he conceded it was technically possible for patients to refuse to let their data be uploaded and the government was considering how to make this happen. . . Lord Warner said the government remains firmly committed to the creation of a national database and hopes to persuade the vast majority of patients to consent to their records going on it. . . Lord Warner said 1,351 people wrote to Patricia Hewitt, the health secretary, demanding that their medical records should not be uploaded, using a form of words devised by Ross Anderson, professor of security engineering at Cambridge university, a leading critic of the scheme."

How patients' protests forced a rethink on NHS computer records (16 Dec 2006)

The Guardian,,1973239,00.html

"The government's change of policy on patient records, disclosed in the Guardian today, is the first departure from a roadmap drawn by Tony Blair in 2002 when he approved a scheme to spend billions on a new IT system for the NHS. The prime minister was captivated by the vision of a national database containing the medical records of 50 million patients throughout England. Heads of the corporations developing cutting edge technology convinced him that lives could be saved if doctors, nurses and paramedics could gain instant access to key information about patients that might cause conventional treatments to cause life-threatening reactions. nstead of consultants waiting for hours to locate the patient's GP and ask for relevant information, a paramedic on the scene would be able to access data from a palmtop computer. Who could object? Mr Blair thought nobody would when he authorised what eventually became a £12bn scheme to connect more than 30,000 GPs to nearly 300 hospitals and their outposts in the ambulance service. . . From the outset, the patient record was a key component, but nobody thought to ask whether patients minded having medical details put on a national system which could potentially be accessed by a large proportion of the NHS's 1.3 million staff. The British Medical Association was divided. Consultants in hospitals with poor IT systems were enthusiastic. GPs whose IT systems tended to be more up to date were anxious about sharing patients' medical secrets without asking consent. Lord Warner, the health minister, set up a taskforce under Harry Cayton, the patients' "tsar", to work out a compromise between GPs who wanted patients to choose to opt into the scheme and others who feared the most vulnerable patients would not bother to make the choice. For civil liberties campaigners, the internal debate missed the point. They mistrusted promises of electronic security locks. On November 1, the Guardian carried a coupon compiled by Ross Anderson, professor of security engineering at Cambridge University. It prompted 1,351 people to write to Patricia Hewitt, the health secretary, using the coupon or words from it, to demand their medical records should not be uploaded. . . Lord Warner's response will fall well short of a guarantee of a complete opt-out from the system. But he said the government is now concentrating on how to give the opt-out, not whether to give it."

Electronic care records go ahead (16 Dec 2006)

BBC News

Ministers are to press on with plans for a controversial electronic medical records system. The government's patients' tsar Harry Cayton will say the system, which will hold records for 50m people in England, is needed to modernise the NHS. Only people who can prove the system will cause them substantial mental distress will be exempt. But doctors warned creating the record without a patient's consent could harm the doctor-patient relationship. Health correspondent Adam Brimelow said the computerised patient record scheme is central to a huge and expensive upgrade of the NHS IT system. Under the system, everyone will have a computer-based care file with basic information such as medication and allergies, drawn from GPs' records. A poll of over 1,000 GPs by the Guardian newspaper last month found half would consider refusing to put patient records automatically on to a new national database. Many said they doubted the security of the new system. Pilots will begin in the spring with national roll-out expected by the end of the year. The government says it aims to make unscheduled treatment - including care in emergencies - quicker and safer, as well as protect patient confidentiality. Patients will only be able to have their records removed if they can show holding them will cause them substantial mental distress. However, they will be allowed to check the details are correct and make amendments online. How more detailed and sensitive data will be stored is still being looked at. . ."

Minister admits U-turn on NHS database amid privacy fears (19 Dec 2006)

The Guardian,,1975035,00.html

The government gave a categorical assurance yesterday that NHS patients would have an absolute right of veto on any part of their medical records being uploaded to a national database. The health minister Lord Warner confirmed a report in the Guardian on Saturday that the government was abandoning an attempt to oblige GPs to provide a medical summary on every patient for a centralised electronic record. He acknowledged changing the policy over the past few weeks in response to the concerns of patients who feared unauthorised disclosure of their medical histories. He said the fears were groundless but offered assurances that were firmer than in the briefing to the Guardian last week. He said: "For all of them, if they don't want to have their information uploaded, they can stop it before it is uploaded." However, he said that the campaigners did not have the right to stop the scheme completely: "People who want to say a curse on the devil and all his works can stop their information being uploaded, but they can't stop other people having the information about them uploaded." . . Helen Wilkinson, national coordinator of The Big Opt Out, a campaign against the database, said: "People should opt out now, if only to wait and see if the government delivers the 'protections' that it is promising and whether they are credible." . . ."

A question of consent (19 Dec 2006)

The Guardian (Leader),,1974883,00.html

"Seventy five pounds for an ex-directory number, £150 for the address a car is registered at and £500 for a criminal record. These are just some of the tariffs that the information commissioner last week revealed had been paid by journalists for personal data, exposing how established the market in snooping has become, in spite of strong theoretical safeguards. When, against this background, a new national patient register is being introduced - which a quarter of a million people will have some measure of access to - it is right that claimed guarantees of confidentiality be treated sceptically, however worthwhile the new database may be. And electronic records certainly could be useful, bolstering care where patients run into emergencies away from home, as well as speeding the transfer of information needed for day-to-day care when a patient moves from one physician to another. But with medical data being so personal, and with confidentiality at the heart of the patient-doctor relationship, both the Guardian and the British Medical Association expressed fears about whether the new centralised "spine" was really secure enough. Then, last month, our survey revealed that most family doctors shared these concerns and that half might defy the official requirement to upload their patients' details, potentially rendering the whole project unworkable. Yesterday, as it unveiled the next steps towards implementation, the government showed at least some signs of having listened. When the first information is uploaded, in trials next year, aside from demographics it will cover only allergies, medication and adverse reactions, all details that there is a clear clinical advantage in sharing. Yet, even with such tightly defined information, extremely serious implications for privacy remain. People on very many medications . . . may have deep anxieties about this being known by anyone but their own GP. That is why it is so crucial that the government seemed to signal yesterday that patients should be able to amend their details before they are uploaded, or indeed, to opt out of having their record shared at all. . . With such personal data, truly personal consent for sharing is surely needed."

Sending a shiver down my Spine (20 Dec 2006)

The Times,,6-2512104,00.html

"An electronic record, which we may see and correct, available instantly to any doctor or nurse who needs it? Sounds wonderful. Yet the Government is facing a wave of protests from patients and GPs. Most of this is down to arrogance: the "we know best" attitude that characterises not just much of the medical profession but Whitehall as well. Take the broken promise about compulsion. At first, two years ago, ministers said that people would be allowed to opt out of the electronic system. Then, this year, in an abrupt change of policy and a Big Brotherish assumption that the national pooling of information was more important than your right to privacy, it said that patients would be allowed to opt out only if they could prove that it would cause them "substantial and unwarranted distress" to be included. Thankfully, that decision was overturned this week and the Department of Health said anyone can ask to keep his or her medical records off the register after all. You have to ask, mind; consent will be implied if you do not. A further safeguard is promised, if you are on the register: you will be able to nominate specific information to be placed in a "sealed envelope" that will be opened only with your consent or in urgent circumstances. So far, so reassuring. So why won"t I be on the so-called Spine, this record of 50 million patients? Because I do not trust the security. Some 250,000 health staff will have access to your details, at varied levels, with individual access codes. Social workers, health managers, private medical firms and researchers will be given access too. How careful will they be with the information? What to a doctor or statistician is one lady"s banal decision to have an abortion in 2006 might to that woman be her most personal and delicate secret, and perhaps it might even be a secret to her husband too. Now imagine that woman was called Madonna (I am making this up, obviously) and weeks after the abortion she adopted an African baby " that information would be worth tens of thousands of pounds to some journalists. Now imagine that you are a nurse coming to the end of a six-month contract and about to be sent packing back home to the Philippines or Malawi. You are on triage at A&E, logging patients on arrival. You are using one of the hundreds of spare log-ons for the thousands of temporary staff whom the NHS employs daily. And you will have access to the entire database; A&E is the sort of place that has to have access, because people arrive unconscious or confused. Now imagine the temptation to sell that information about Madonna. You will be back home with enough money to buy the village by the time it appears in the papers. . . I have no doubt that at some point we shall all have electronic medical records. I would prefer them to be in my hands, with a smart card I carry if I choose, giving access to people I select, and to NHS emergency staff if I am unconscious or incapacitated. I"ll take the risk of mislaying it. Now that would really be putting power in the hands of the patients. But until the Government can at least answer detailed questions about exactly how its proposed system will work, I cannot think why anyone would want every spit and cough of their personal medical details made available to hundreds of thousands of people, and more. I, for one, would prefer to remain spineless."

NHS records pilots set to run (21 Dec 2006)

IT Week

"The first pilots of the national electronic health records system will go ahead in the spring, against a backdrop of compromises over patients" security concerns. The control of access to centrally-held information has been an ongoing issue for the £6bn National Programme for NHS IT (NPfIT). Login to the database is controlled by a high-security smartcard and only clinicians with a "legitimate relationship" will be able to see health data. But concerns remain over patient control of their information. Following a report from an independent taskforce, patients will now be able to check, and potentially veto, the data being uploaded to the central data spine. Those not actively opting out will be considered to have consented. NHS IT director general Richard Granger, who is responsible for the technology programme, says security concerns must not be allowed to undermine the improvement of patient care. "Concerns about data security may be marshalled by an active lobby of healthy sceptics to the detriment of the ill, and avoidable fatalities will result," he said. The debate highlights continuing communications issues between clinical groups and the central programme. The British Medical Association says a lack of early consultation with doctors is at the root of the confidentiality concerns. . ."

Headed for the rocks (21 Dec 2006)

The Guardian,,1976589,00.html

"The NHS's ill-starred computer project is in the news again. After polls showed that most doctors and patients oppose a compulsory national database of medical records, health minister Lord Warner produced a report on Monday and promised an opt-out. But don't break out the champagne yet. The report was cleverly spun; hidden in an appendix is confirmation that you can opt out of the Summary Care Record, but not the Detailed Care Record. The first is merely a synopsis for emergency care. It will have your current prescriptions, and will say, for example, whether you are diabetic. But ministers are not offering an easy opt-out from the second - the database replacing your current GP and hospital records. They plan to "upload" your GP data over the next year or two to a regional hosting centre run by a government contractor. The data will initially remain under your GP's nominal control but, after hospital records have been uploaded too, the chief medical officer will be the custodian of the whole lot. Your "electronic health record" will be used for many purposes, from cost control through audit to research. So the Home Office plans to use health data to help predict which children are likely to offend (despite a recent report to the information commissioner that collecting large amounts of data on children without their parents' consent will probably break human rights law). Yet confidentiality is often vital for care. . . The NHS computer project also has grave safety and performance problems. Moving patient records from the hospital or surgery to remote computer centres means that network failures cause havoc. What's more, the NHS computer system is showing all the classic symptoms of turning into a software project disaster, with changing specifications, slipping deadlines and soaring costs. The NHS must not be dependent on it. The convoy is heading for the rocks, and perhaps only one man can alter its course. Gordon Brown will have to decide soon whether to scrap the central database and build safe systems that will work. If he calls it wrong then - as with Blair and Iraq - it may well be the decision for which he is remembered."

BMA may seek NHS records system boycott (22 Dec 2006)

The Register

"Doctors will be advised to refuse to use the NHS's computer system unless the Department of Health (DoH) changes its mind on behaviour which the British Medical Association says is unlawful. The DoH has refused to allow a large number of patients to opt out of its controversial computerised patient records system, which is still in development. The BMA says that that refusal is unlawful and could result in a boycott of the system by GPs. "We believe this particular suggestion by the DoH is unlawful and certainly it's outwith our understanding of the Data Protection Act," said Dr Richard Vautry, the BMA's negotiator on IT issues and a member of its GP committee. "If they insist on that position, which we think is untenable, then it would mean that we would be obliged to advise practices not to get involved in putting any information into the summary care record," Vautry told OUT-LAW. The system depends on GPs inputting the information and would be likely to collapse if GPs refused to carry out that task. "I'm sure practices would be very unwilling to do so because they would feel that it would put them in a very legally indefensible position," said Vautry. The DoH did not respond to a request for comment before publication. The controversy stems from a letter sent by the DoH to a large number of people who asked to opt out of the system. The Department told them that they could not opt out unless they could show 'substantial and unwarranted distress' would be caused by being in the system. The BMA says that the Department had no right to make that judgment. . ."

Time to go public (27 Dec 2006)

The Guardian (Leader),,1978859,00.html

"Privacy is one of those concepts which are easier to understand than define. A human life of any quality relies on a reasonable expectation of privacy. Yet modern technology - whether deployed by corporations, individuals, media or the state - offers unlimited scope for intrusion into private lives. . . With official databases so easily penetrated it is reasonable to ask searching questions about the drive in government to centralise digital information about our lives. Ministers talk sweet reason in making the case for ID cards and national NHS records. But they must know that such systems are always open to abuse. CCTV cameras on the streets may offer reassurance and help fight crime. But how relaxed would people be if, as happened in recent experiments, cameras were augmented by microphones to monitor street conversations? The debate over these and associated issues has been slow to get off the ground, but is now gathering pace. Many people feel increasingly anxious about the potential loss of civil liberties and it would be ill-advised for governments to dismiss such concerns. . ."

Patient Concern: Database a threat to patient confidentiality (15 Jan 2007)$463285$463273.htm

"A patients' campaign group has called on medical authorities to unite against plans to create a single government database. Ministers believe allowing government departments to share information will make public services more efficient. But Joyce Robins, co-director of Patient Concern, said: "The announcement of plans for a national database accessible by any government department couldn"t come at a worse time. "It will fuel the public"s fear that confidentiality is meaningless in respect of their medical condition and sabotage patients" trust in their doctors" ability to protect their privacy." The group is concerned the commitment to privacy in the NHS's integrated IT system will be overridden by the new database. "Not only the information commissioner but the health service regulatory bodies and medical royal colleges should be seriously worried and unite to oppose the threat to patient confidentiality," said Ms Robins.

A Vision of HAL (16 Jan 2007)

The Times,,542-2548779,00.html

"Joined-up government needs joined-up computers. "I know I"ve made some very poor decisions recently," HAL admits at a critical point in 2001: A Space Odyssey. "But I can give you my complete assurance that my work will be back to normal. I"ve still got the greatest enthusiasm and confidence in the mission. And I want to help you." The original spacefaring supercomputer could have been articulating the Government"s position on its own supercomputer projects. Disastrous errors have been made with the specification, procurement and installation of costly public sector IT systems. But Tony Blair insisted yesterday that he would press ahead with them nonetheless " and require them to pool personal information on citizens much more efficiently " because he believed it would enhance the delivery of public services. . . The scheme launched yesterday is aimed at lowering some of the barriers to information-sharing set up by the Data Protection Act 1998. Mr Blair has said it will only involve the creation of the new combined database so feared by civil liberties activists if a series of "citizens" panels" consent to the idea. It would be naive to suppose that the plan will not entail some erosion of personal privacy: easier citizen access to government necessarily means easier government access to citizens. But in all advanced democracies certain individual liberties are sacrificed for the sake of collective security. If executed efficiently and transparently, this project could deepen that social compact rather than threaten it. It is a big "if". The NHS"s £20 billion Connecting for Health project is, notoriously, at least two years behind schedule with no guarantee of delivering the improvements in healthcare that its architects promise. Myriad smaller government IT schemes are plagued by delays, cost overruns and unrealistic expectations. More than half of all government websites are to be scrapped within the next three years. Even if the new goal of more intelligent sharing of information is achieved securely, it runs the risk of spreading errors throughout the system. Against this, citizens are promised a realisation of the dream of "one-stop" government: one phone call to notify the authorities of a death in the family, not 44, as in one case cited by the Work and Pensions Secretary; a single point of reference handling all pension and benefit enquiries for the elderly; and an undoubted boon to police if related plans to create a national DNA database receive the go-ahead. The potential benefits are real and the momentum to aggregate information may, in any case, prove unstoppable. Like HAL, the Government must therefore learn from its mistakes and raise its game."

Anger over EC medical data-sharing scheme (26 Jan 2007)


"Experts are outraged by a plan that would make UK citizens' medical details accessible across Europe. The European Commission is about to call for proposals on how patients' medical details would be shared between its member states, with the UK almost certain to be included in the scheme. . . The data that will be shared will include some kind of emergency care records and patients' medication histories. The aim of the scheme is that if, for example, a UK citizen falls ill while in Spain, doctors there will know what medication the patient cannot take or what existing conditions they already have. But according to Ross Anderson, a Cambridge University security engineering professor and longstanding critic of the NHS' multi-billion pound centralising systems upgrade, the National Programme for IT (NPfIT), the scheme is unnecessary and could even be counterproductive. . . It is unclear at this stage what level of security will be built into the Commission's initiative. Comyn confirmed that "it will be up to the member states to take appropriate actions on security and make sure the level of security they choose is in line with the national levels". As there is already disquiet within the UK about the security implications of having a centralised national health database, the idea of those details being available in other countries, under those countries' home-grown security restrictions, seems sure to cause further concerns. It is also not clear whether this interoperability was part of the original specification for the UK's NPfIT, or whether it will create new requirements and costs for the scheme. Richard Granger, the head of NPfIT, had not responded to a request for comment at the time of writing. . ."

Patients can boycott NHS system, says Commissioner (26 Jan 2007)


"The Information Commissioner has been told that patients will have the opportunity to refuse to have their details uploaded onto the new NHS medical records system. The news comes just weeks after the Department of Health refused patients that right. The Information Commissioner's Office (ICO) has issued a report on the NHS Connecting For Health system, the patient record system which has suffered cost over-runs, delays and controversy over the right to opt-out. OUT-LAW recently revealed that the Department of Health had refused a large number of requests from patients that their details not be uploaded, and that the British Medical Association has threatened to ask doctors to boycott the system. Such a boycott would likely cripple the £12 billion project. . ."

NHS security dilemma as smartcards shared (30 Jan 2007)

Computer Weekly

"An NHS trust board has approved the sharing of smartcards, in breach of security policy under the £12.4bn NHS National Programme for IT (NPfIT), because slow log-in times would restrict the time of doctors treating emergency patients. South Warwickshire General Hospitals NHS Trust has allowed some staff to share smartcards used to access patient records, after concluding that log-in times for systems were too long for high-activity areas such as Accident and Emergency. The move raises the question of whether the Care Records Service system installed under the NPfIT has been supplied with busy hospital departments in mind, and just how stringent security can be in highly pressured environments. Connecting for Health, which runs the NPfIT, has stated in policy papers that smartcard sharing by NHS staff is "misconduct" that may result in disciplinary action. Paul Cundy, spokesman for the British Medical Association's GP IT subcommittee, said the actions of the trust "drive a coach and horses through the so-called privacy in the new systems". He said, "This is precisely what we have long predicted and shows that security systems, although highly specified on paper, need to be tested against live environments before they can be said to be secure." But Duncan Robinson, director of IT at the trust, said it had decided specifically in Accident and Emergency to slightly depart from what he called security "guidelines" to allow the sharing of smartcards on certain PCs. He said the trust was concerned that logging on could take up to 90 seconds. Without smartcard sharing, if doctors using a secure PC are called away when accessing a file, they may have to log off and on again when they return to it. Sharing the shift leader's smartcard, more than a dozen clinicians can access files on PCs without logging on and off each time. . . A spokesman for Connecting for Health said smartcard sharing policy and guidance was unambiguous - it is misconduct and should be dealt with via disciplinary procedures or professional bodies. . ."

Faulty software puts child health at risk (14 Feb 2007)

The Times

"The health of children is at risk because an NHS computer system wrecked 20 years of accurate immunisation records. Faulty software introduced in 2005 has left some primary care trusts (PCTs) unable to track whether children have been vaccinated and screened for genetic conditions, raising fears that many are unprotected against diseases. Parents are not being reminded when their children are due for jabs and check-ups. The Health Protection Agency cannot publish full statistics on the uptake of vaccines because the five worst-affected London trusts cannot provide accurate data. When the shortcomings of the Child Health Interim Application (CHIA) software were disclosed by The Times a year ago, the Department of Health stated that the problems were being addressed. Staff were said yesterday to be "in despair" at continuing difficulties with the system supplied by BT. Christine Sloczynska, consultant community paediatrician at Waltham Forest PCT, in East London, said: "I"m sure there will be kids who slip through the net and will be unimmunised. Our immunisation take-up has fallen from 94 per cent to 58 per cent, but we don"t know how much it is due to children missing their vaccinations, or to lack of data." The Health Protection Agency said that five trusts had been excluded from national figures for uptake of MMR and other vaccinations as their data were considered unreliable. Pat Troop, head of the agency, said: "There is still a gap in the data, and it"s something the local NHS are concerned about, not just us. Not monitoring coverage of measles is how infections might happen." Mike Catchpole, of the agency, said that it was not possible to predict when the affected PCTs could provide the data. The CHIA software was introduced in ten London trusts when an older system was withdrawn. Dr Slocynzska said that the system could not be used to generate lists of those who match particular criteria, such as missing vaccinations. This makes it difficult for GPs to issue reminders. Parents are still issued with a "red book" listing a vaccination schedule, but the problems with the computer make it hard to tell them when new jabs are available. Birth records formerly sent online from maternity units must be entered by hand, and there is a backlog. "We are sometimes told of a child"s death before we know it has been born," Dr Sloczynska said. BT has promised to replace the software."

BMA chair says smart card policy 'preposterous' (15 Feb 2007)

e-Health Insider

"Connecting for Health's policy of requiring doctors to repeatedly log-in with a smart card every time they use a computer system has been described as "preposterous", by the chairman of the British Medical Association. Speaking exclusively to E-Health Insider Mr Johnson said: "The idea that we have to log in and out of each terminal we use is complete nonsense. There is no reason why patients should be left waiting whilst staff log onto a system." Mr Johnson, who is also chair of the BMA"s Working Party on NHS IT, was commenting on whether he thought South Warwickshire NHS Trust were right to allow clinicians to share smartcards in the Accident and Emergency department due to the 60 " 90 seconds it took to log into there new patient administration system. [1] Johnson felt that the sharing of smartcards was "totally unacceptable" and they should be replaced with individual authentication methods such as lapels or devices that are pressed onto a reader when accessing confidential data. . . He said he also strongly favoured the creation of Role Based Access Controls (RBAC) to limit who sees what data and says work with Connecting for Health to create a firm set of job roles within a healthcare environment that will determine staff access rights. . ."

The NHS Database: Lord Warner"s opt out decoy: A review of persisting privacy and confidentiality issues (Mar 2007)

Dr Paul Thornton MPH, FRCGP

"As a parting shot just before Christmas, resigned Health Minister Lord Warner generated extensive press coverage by announcing unequivocally that patients would be allowed to keep their information off the national database that is being created by Connecting for Health, the Department of Health"s IT wing. This was trumpeted as a substantial concession in response to letters sent to the Department of Health by patients. It appeared that Lord Warner belatedly recognized the political and ethical obligations on the Department of Health (DH) - obligations that were increased by the editorials and comment from newspapers across the political spectrum once they came to understand what the NHS had otherwise been trying to do. Lord Warner"s announcement was trailed by Mr Harry Cayton in an interview with The Guardian. The newspaper had previously printed a proforma letter that was sent to the Department of Health by readers. Mr Cayton is "National Director for Patients and the Public" at the Department of Health, a political appointment dubbed "Patient"s Tsar". . . It is nearly two years since Mr Cayton previously reassured on BBC TV news that patients would be able to opt out of the national database entirely if they so choose. Despite the gestation period of an elephant, the board he chairs has failed to amend the National Care Records Guarantee to inform patients of that choice and how it can be exercised. Nor has the board given any indication of how the care of such patients might be taken forward if they are ever able to exercise that choice. . . All that is being offered by the ministerial working party is an "opt out" from the "summary care record". This limited opt out is important because all information in the summary care record will otherwise be accessible to all NHS staff nationally. Initially the summary care record will include only current medications, allergies to medication and adverse reactions. This is sufficient information to imply highly sensitive diagnoses. If you know the treatment you know the disease. It is intended that the summary care record will include even more data as summary information will initially be generated from data currently held by General Practitioners on their discreet and discrete systems. But this limited opt out is not sufficient. . . CfH intend that all clinical, psychological and social information will be recorded by professionals in a "Detailed Care Record", a subset database of the entire scheme. The information will be stored on centralised computers that are remote from the unit treating the patient. A single individual should therefore have a different "Detailed Care Record" created by each NHS unit by whom they are being treated. Previous CFH documents confirm that detailed care records will certainly be accessible by all staff who work in the same NHS unit as the professional to whom private information has been divulged. This may be as small as a single GP practice or as large as an NHS Trust covering 2 or 3 District General Hospitals. In addition, enormous numbers of staff in all the units which share the same I.T. infrastructure, described curiously as an "instance", will have the ability to access the detailed care records created in those other units in that "instance". Connecting for Health (CfH) have divided health services in England into five geographical areas, called "clusters". Each cluster database may be divided into as few as two or three "instances". The number of staff and patients served by a single "instance" will be huge. Users of an "instance" will be widely spread geographically. Some restrictions might be placed on who is "allowed" to access the records but this is substantially exceeded by a recognition of the numbers who are "able" to access the records. The biggest security risk to any large database arises from illegitimate use by staff with at least some degree of legitimate access. . ."

First test launched of NHS's controversial 'Spine' database (15 Mar 2007)

The Guardian,,2034101,00.html

"The government's plan to put the medical records of every NHS patient in England on a central electronic database will begin first trials tomorrow at two carefully selected GP practices in the north-west. About 14,500 patients in Bolton will be told their confidential medical details will be uploaded to a national data warehouse known as the Spine, unless they object. Their reaction will be the first test of whether patients accept the government's argument that a national electronic record can save lives - or agree with campaigners for personal privacy who see the scheme as a lurch towards a Big Brother state. . .The agency said it was taking a cautious approach and would learn lessons from Bolton before testing the scheme in six or seven other primary care trusts before the end of the year. If all goes well, a summary of the medical records of 50 million patients throughout England will be uploaded in spring next year."

Gadget will help to save patient lives (16 Mar 2007)

Portsmouth Today News

"THOUSANDS of patients are to benefit from a potentially lifesaving new information system. Health bosses have launched handheld computer technology so patients in need of urgent medical attention can be identified and treated more quickly. Clinicians in the medical and surgical assessment unit sat Queen Alexandra Hospital, Cosham, Portsmouth, can now monitor a patient's condition throughout their hospital stay - saving a massive £1m a year. . . Nurses now record and store vital signs such as pulse, blood pressure, heart rate and temperature electronically at a patients' bedside. VitalPAC analyses data alongside other important information, such as blood test results stored in other hospital databases. The system uses an early warning score to identify seriously ill patients. Specialists are then automatically alerted when a patient's condition deteriorates. These records were previously kept on charts at the end of a patient's bed. . . 'There's a level of disillusionment among doctors and staff with the national programme,' said trust critical care consultant and project clinical lead Gary Smith. We believe this system will compliment it. We're doing things that Connecting For Health cannot deliver to make our patients safer.' Learning Clinic managing director Roger Killen said: 'Not only will it help ensure the safety of the patient, but it also promotes their progress through the tests that help the clinical teams make accurate diagnosis and treatment.'"

Safety now number one priority for CfH (17 May 2007)

e-Health Insider

"Professor Michael Thick, the chief clinical officer for Connecting for Health, says that the Department of Health"s IT agency has transformed itself from being largely technical to one that places patient safety as its number one concern - safety trumping contract considerations or delivery timetables. . . He said that the current focus on clinical safety dated back to a 2004 review by the chief medical officer of whether the NPfIT programme was taking patient safety seriously " placing it as its first priority. "This found that there was not a patient safety culture in what was largely a technical organisation that saw how you use information as someone else's concern." However, since the 2004 review far-reaching changes had been made said, Professor Thick. In addition to his appointment he said: "NPfIT has established a clinical safety programme, led by a secondee from the NPSA [National Patient Safety Agency], adopted the IEC 61508 patient safety standard and set up clinical training on safety for all clinicians within the programme." . . . He said that clinical risk management was now of paramount concern with detailed documentation developed for clinical risk assessment. . . Professor Thick said this commitment to patient safety was best seen in the fact that every product delivered by NPfIT had to secure 'Clinical Authority to Release' before it could be deployed into the NHS. He said this over-rode all other concerns and delivery schedules. . ."

Dilemmas of Privacy and Surveillance: Challenges of Technological Change (26 Mar 2007)

Royal Academy of Engineering

". . . In relation to privacy and surveillance, levels of trust are vulnerable if government appears unresponsive or is deemed too slow to react to the dangers posed by the use of those technologies. Trust has a rational basis, and is accorded only when institutions perform their roles satisfactorily. Institutions generate trust when they perform well and when they do not they are deemed untrustworthy and generate scepticism. . . It is with respect to trust as role performance that governments are most vulnerable. This form of trust is based on people's experiences, as the performance of institutions is monitored by the public and opinions and perceptions subsequently develop. While it might take years of effective governance to establish institutional trust, it can be wiped out very quickly, however fairly or unfairly, by high profile mistakes or accidents. Moreover, trust problems over a particular issue can translate into a mistrust of a whole government (which can be electorally punished), but leave trust in the state (in the police or National Health Service for example) unaffected (though state bodies such as the police or the NHS can lose public trust in some circumstances). . . There are a number of incidents in which a government or series of governments have suffered loss of trust due to poor role performance, or perceived poor performance. Crucially to the interests of this report, a number of these relate to the introduction of new technologies. For example, the implementation of a new computer system in the Child Support Agency (CSA) was considered a disaster, with many vulnerable people failing to receive child support payments due to its inadequate functioning. The failures associated with the CSA have been brought up in criticisms of plans for the NHS project 'Connecting for Health' which involves bringing modern computing systems to the NHS. They have also been raised in connection with the ID cards scheme and the associated National Identity Register (NIR). Both past problems and recent difficulties mean that government is vulnerable when it comes to trust in their ability to implement a large IT project, or any other complex business change project. Of course, government is not alone in experiencing difficulties in implementing complex projects with a large IT component, but it is particularly vulnerable since its projects use public money and involve critical services such as the NHS. . ."

Safety first: the benefits of e-prescribing (26 Mar 2007)

Health Service Journal

"The deadline for the introduction of electronic prescribing in secondary care is 2010. But so far very few hospitals have explored it. E-prescribing reduces prescribing errors, removing the potential for problems with doctors' handwriting, for example, and can eradicate erroneous changes when transcribing a prescription to a new form. But NHS Connecting for Health, the agency responsible for the national IT programme, says only a 'small number' of trusts have experience of e-prescribing. Barriers include the time taken by the IT programme to provide the technology and difficulties faced by support companies in setting up systems in the required time. But two trusts are ahead of the game. Doncaster and Bassetlaw Hospitals foundation trust has been gradually bringing in the technology since 2002. It aims to extend it to all wards in Doncaster Royal Infirmary inside a year. The trust's objectives were to reduce clinical risk and improve discharge communication. A study showed that, where the technology was used, compliance with the policy rose from 37 to 96 per cent. All the records of the medicine given to patients were accurate, compared to 65 per cent before e-prescribing. Adverse drug events were reduced by 60 per cent. Winchester and Eastleigh Healthcare trust uses the JAC system, which manages prescription, supply and administration cycle. Senior pharmacist Joyce Bould says the way the system interacts with other systems has caused problems, but 'it's now accepted that this is the way to go. The NHS is recognising it is a safety issue.'"

Information Commisioner must investigate junior doctor website blunder (26 Apr 2007)

Liberal Democrats

"The Liberal Democrats have today written to the Information Commissioner asking him to urgently investigate the release of sensitive personal data of junior doctors on a Government website. . . 'The lack of consideration for the security of personal data in this case seems to constitute a serious breach of the Data Protection Act. I am sure you will agree this is an extremely concerning situation. I therefore ask that you thoroughly and urgently investigate this matter. I would also like you to consider whether this development casts further doubt on the advisability of persisting with the MTAS system without further thorough piloting and without cast iron reassurance as to the integrity of the system and safeguards to protect sensitive personal data. Are there any lessons to be learnt from this debacle in respect of the plans to establish a national database of patient records under the "Connecting for Health" IT programme? . .'"

Information Governance will be ongoing challenge (1 May 2007)

e-Health Insider

"Connecting for Health have told the House of Commons Health Select Committee that addressing the information governance challenge for shared records and use of patient data in an electronic NHS would be an ongoing challenge for the coming decade, in the same way that getting clinical governance right had been the challenge of the previous decade. Quizzed about privacy and consent issues, Dr Gillian Braunold, joint national GP clinical lead for the DH agency, told the committee that information governance was beginning to be looked into and there would be further answers in a year"s time when an independent evaluation by University College London (UCL) of the early adopter sites was completed. . . In the later session, the ten year gap was greeted with horror from Andrew Hawker, a former systems developer, giving evidence as a NHS patient. . . Harry Cayton, DH national director for patients and the public, told the committee that the decision to go forward with the NHS CRS as an implied consent model was decided as a "professional agreement" and one that was necessary to save GPs' time. . . Eyebrows were also raised when the issue of use of data from the CRS for research purposes came up. CfH said that pseudonymising data meant that researchers would have access to personal health records that have no identifiable information except a postcode and a date of birth. Dr Paul Cundy, chair of the General Practitioner"s Joint IT Committee, responded to this suggestion by telling the committee: "Anonymisation is an absolute condition for research. Data is either anonymised or its not. Saying something is pseudonymised is a clever way of avoiding saying its not anonymised. On the basis of the evidence we heard from CfH it would seem that the Secondary Uses Service is illegal". . . However, Richard Granger, the director general of IT for the NHS, had earlier shrugged off concerns calling both information and computers "vulnerable". "All computers are vulnerable and no-one can guarantee a flawless system," he said, adding later: "Our suppliers all have experience with security and we are introducing functionality incrementally, mitigating risks and examining any necessary changes before the next stages." . . . Dr Martyn Thomas representing the UK Computing Research Committee told the committee that CfH had no security limits. "I have asked Richard Granger directly if he has targets for unacceptable levels of security and he says no " no targets means you will end up spending more money or you take it as it comes " which is unacceptable in practice, as it means taking systems offline."

Securing information in primary care (9 May 2007)

e-Health Insider

"The world of primary care IM&T is evolving rapidly with a move away from local systems, only accessible to local practice-based staff, to remotely hosted systems in which patient information becomes available to NHS staff across an entire health community. According to Ewan Davis, chairman of the British Computer Society's Primary Health Care Special Interest Group, the big change in security considerations in primary care is scale: "Instead of 12 people in a practice looking after 6,000 patients you are now looking at PCT or even cluster-wide data sharing." With this change in scale new security measures and mechanisms are required that don't just depend on trusting staff. "We are now moving beyond the domain of trust, you can't know everyone in a local health economy," says Davis. The underlying trends driving these changes are the moves to shared clinical information systems and the actual ownership of patient data. Davis commented: "The ownership of data is changing. Previously you could only get at GP data with the consent of the GP, with the development of national and shared record systems this is no longer the case." For many in primary care the move to remotely-hosted systems, which connect to national applications such the NHS Care Records Service, Choose and Book and the Electronic Prescription Service creates new risks and concerns around confidentiality, consent and information governance. Davis said that a particular current concern was around the personal demographic service (PDS) of the NHS Spine. "A lot of people have expressed worries around PDS data being searchable by anyone in the NHS." The second current issue worrying many in primary care is around Choose and Book and the claims that people can get access to clinical information not relevant to them. Ironically, Davis said that NPfIT appears to have developed good mechanisms to maintain the confidentiality of patient data on the CRS system, but some of them such as the sealed envelope and facilities for 'stop noting' have yet to be implemented. Ian Nottage, information manager at Western Sussex PCT, says that the biggest issue for his PCT currently are around information governance. "We have concerns around the creation of large central databases in which we have no control over what happens to data once it goes to the centre," says Nottage. "We already get concerns over what will happen with Choose and Book data once it is sent to the centre." . . ."

'Sealed envelopes' on hold as policy debate continues (10 May 2007)

e-Health Insider

"Local service providers (LSPs) are unable to deploy sealed envelope functionality because a clear specification looking at how the policy should work is not yet available, the Commons Health Select Committee heard today. Computer Science Corporation"s president of the Europe Group, Guy Hains told the committee that the LSP to the North-west and West Midlands, North-east and Eastern clusters was ready to add in sealed envelopes functionality to its deployments, but was unable to do this because Connecting for Health has not decided on how the system will work. "There is an issue of a specification for sealed envelopes. Technology-wise we understand how to add in the functionality, but we need a clear specification, and we don"t have that. We need to know how it will be used, when it should be deployed and an idea of the data-sets involved with this addition." Hains said that CSC had a timetable to implement the sealed envelopes functionality, but they have to wait to hear exactly what was wanted before the LSP can complete and deploy such a system. . . CSC is confident that the technology they are deploying will bring great benefits to the NHS and iSoft"s Lorenzo will bring the NHS into the next generation, Hains said. He said that the delays in Lorenzo pointed to a number of factors: "Firstly, the ambition of CfH in terms of care pathways is demanding in software terms. We demand the best quality software with rigorous testing, different to the way software is made now and enables us to use it more widely than just the UK, like for the spine in Holland perhaps. "Secondly, there is no doubt that the uncertainty regarding iSoft and its future ownership is an unwelcome distraction, but we are duly supportive to iSoft and Lorenzo, which is why we have sent 100 of our people to work on it and 23 NHS clinical professionals are also working on it. We expect delivery in the middle of next year." Hains attempted to allay security concerns, but was interrupted by Professor Brian Randell, professor of computer science at Newcastle University, who said that Richard Granger [NHS IT director-general] has told him that there are no written security measures for NPfIT. Hains replied: "It is true to say we don"t have any specific statements on security but we do have targets and we have targets and an environment with a 100% no data loss requirement. All trusts deploy systems on a voluntary basis and we have to support them with the change management. Our experience has been positive though, and we are deploying faster than ever before." He said that CSC had been working hard to ensure the system was as robust as possible. . . Hains said lessons have been learnt since the Maidstone data crash last year which left 80 NHS trusts across the North West and West Midlands, including eight acute trusts, without access to patient data on their clinical and administration computer systems, adding that he was confident that new measures would prevent similar problems at other trusts. "We have learnt several things from Maidstone. We now know it is better to have four back-up centres, instead of just two and we have tightened our targets and expectations for how quickly systems get brought back up from 72 hours to 24 hours and much shorter times for critical environments." Today"s hearing was the second evidence session by the parliamentary select committee into the electronic patient record. Two further sessions will be held in June."

Confidentiality of millions 'at risk' as IT chief exposes security flaws (24 May 2007)

Pulse News

"Robert Navarro, whose firm is handling key security aspects of the rollout of the controversial care record, told Pulse of his fears as our Common Sense on IT campaign builds momentum. He warned records could be leaked unless extra safeguards are put in place. Mr Navarro, managing director of Sapior Ltd, is a leading expert on pseudonymisation, a security technique which reduces the risk of records in a database being identified by replacing data in key fields, such as a patient's NHS number. 'BT say if it's pseudonymised, it's safe " that is just not true,' he said. Sapior is subcontracted by BT on behalf of Connecting for Health, and developed the pseudonymisation software currently used by the Secondary Uses Service. The service currently only provides data to NHS organisations, but information is likely to be shared with researchers more widely when the care record programme has been rolled out. Mr Navarro told Pulse that if pseudonymised records were shared beyond the NHS, they would be vulnerable to so-called 'inference attacks', whereby the identity of patients could be revealed through details in their records which remain in their electronic files after pseudonymisation. In August last year, newspaper journalists and computer hackers used inference attacks to successfully identify thousands of internet users after online giant AOL made pseudonymised search data about more than 600,000 of its users available to researchers. 'When you're sharing beyond the current group you have to go to an extra level of protection in order to prevent the AOL kind of attack,' said Mr Navarro, who fears the same threat could be posed to NHS patients via the care record. 'Every researcher who says pseudonymising is fine is just ignoring inference attacks,' he said. Pulse's campaign calls for a watertight anonymisation system before records are made available for research purposes. Dr Paul Cundy, chair of the GPC IT subcommittee, said of Mr Navarro's revelations: 'This news confirms our fears about the Secondary Uses Service. 'It is now clear that the SUS must not be connected to anything new, nor external access granted to the data it holds, until we know it is anonymised.' Dr Paul Thornton, a GP in Kingsbury in Warwickshire and IT campaigner, said sharing data with the Secondary Uses Service without explicit patient consent would be 'unlawful'."

BMA votes for non co-operation on central records (29 Jun 2007)

e-Health Insider

"Doctors have called for a public inquiry into NHS Connecting for Health (CfH) and have called on the BMA to advise doctors not to co-operate with the centralised storage of medical records. The National Programme for IT was the subject of strong criticism at the association"s annual representative meeting (ARM) this week where doctors claimed the NHS IT project was doomed to failure unless a grip was taken on the project and that patient information held on the NHS Care Records Service (NCRS) was not secure and confidential. Dr Charlie Daniels, a GP in Torquay and chairman of Devon Local Medical Committee (LMC), told colleagues that patients and doctors would be the biggest losers if there was no public inquiry to into NPfIT. He claimed key elements of the programme were not working and that costs were escalating, suppliers were in trouble and stakeholders were being ignored. He said that in 2002 everyone had hoped that NPfIT would drag local hospitals out of the IT Stone Age and connect them with GP surgeries. He added: "Do I see Torbay Hospital with an all singing and dancing IT system that can give me a basic e-mail discharge summary? No " we still get a badly handwritten flimsy note which arrives days later." Dr Grant Ingrams, secretary of West Midlands Regional LMC, failed to convince colleagues that CfH had started to listen more carefully to what clinicians and patients needed and that calls for an inquiry were unnecessary. . . On the NCRS Dr Daniels described the smartcards already in circulation in the NHS as "300,000 keys to open one lock" and said many patients had reasons for not wanting to have their details on the spine. "Patients are being bullied when they are told that their care will suffer or that they are putting their lives at risk if they do not have their details on the spine. Patients are also being bullied when they are being told that they will not be able to access services if they do not have their details on the spine. This is disgraceful and should be deplored." Doctors backed a motion, against the advice of Dr Richard Vautrey from the BMA"s working party on NHS IT, which called on the association to advise doctors not to co-operate with the proposed centralised storage of all medical records which they claimed seriously endangered patient confidentiality. . ."

London NHS paper reveals plans to share patient data (3 Jul 2007)

The Register

"A document produced for London NHS reveals plans for extensive sharing of personal data between the NHS, social services, education and the police. Obtained by William Heath's Ideal Government blog, it says that the "Health and Social Care Integration Project" should fit with "known and future national developments... e.g. ContactPoint for Children, the Common Assessment Framework for Children, the Care Programme Approach, the Single Assessment Process for Older People, the Proposed Common Assessment Framework for Adults and its link with the NHS Connecting for Health National e-SAP Project. In addition, the system "should provide access to... details of entry on the Vulnerable Adult Register; details of entry on the Child Protection Register" and "should display details of a person's family members or carers who may also be receiving services." Responding to publication of the document, London NHS Chief Information Officer Kevin Jarrold protests that the paper is intended simply to agree "what is the minimum information needed to help those staff providing care to vulnerable people within London, while protecting patients" care and privacy. This initiative is to improve the methods used to access that information which is already shared between Health and Social Services. There is no intention of implementing any solution without the say-so of the NHS, Social Care and the public." It was, he says, produced to clarify what should and should not be accessible "by authorised colleagues within the NHS and our partners in Social Care, while ensuring patient safety and confidentiality." . . . The NHS Programme for IT anticipates very large numbers of authorised users, as does ContactPoint, and both of these are already widely seen as privacy disasters waiting to happen. By producing a system that "will enable the sharing of a person's information between" between these and other systems, the project is arguably substantially increasing the risks of abuse. And as an increasing amount of individual data is being shared by statute, at the government's behest (so the individual can't opt out and the professionals have no choice), it's all too likely that London's "vulnerable people" are about to get even more vulnerable."

Who controls the UK's electronic health record? (Jul 2007)

Data Processing Quarterly, Issue 19

"The Working Party of European Data Protection Commissioners has published a consultation document devoted to the Electronic Health Record (EHR) in response to the fact that most European countries are now developing EHR systems. These systems create a single patient record to contain the patient's entire medical history, whether the details are created by a GP, hospital, pharmacy or by any other relevant health professional. The document is of interest because there are several important conclusions reached by the Working Party which appear to provide challenges for the EHR system proposed for the NHS. At the heart of the NHS plans for an EHR system is the Summary Care Record. This is a centrally held, index record that is to be created for every patient in the UK and will contain contact details for the patient and doctor (e.g. name, address), administrative details (e.g. NHS Number, date of birth) and limited health information (e.g. allergies, current prescriptions). The Summary Care Record will also eventually point to the location of the Detailed (Health) Care Record which is the next stage of the project; current plans are for these Records to be stored on a number of inter-linked, regionally-based systems. . . The Working Party has concluded that a centralized EHR system (i.e. close to the UK's approach to EHR) 'assumes there will be a single controller for the whole system separate from the healthcare professionals/ institutions'. The Working Party warns that in such a centralised system 'liability for the confidentiality of the system is taken out of the hands of medical professionals', and that this 'might influence the amount of trust invested by patients into such a system'. The Working Party also notes that risks associated with a lack of trust do not arise in a decentralized EHR system 'where the health care professional/institution' is responsible for the medical file, or in patient-centric EHR systems (for example, the French EHR system) where 'patients exercise a significant degree of control over their own medical personal data'. . . The Working Party also states that "all data contained in medical documentation in electronic health records" should be considered to be "sensitive personal data", even the 'administrative data' associated with a medical record. The Party notes that if these administrative data 'were not relevant in the context of treatment of a patient, they would and should not have been included in a medical file'. . . Finally, the Working Party states that only those professionals who are 'presently involved' with a patient should have access to the health record (e.g. this limitation should apply to access to the Summary Care Record), and that 'a patient should have the chance to prevent access to EHR data if he so chooses'. In summary, the Working Party is proposing an unconditional right to object to the processing. This contrasts with the tests described in section 10 of the Data Protection Act where the data subject has to establish unwarranted substantial distress or unwarranted substantial damage and where section 10 also gives the Secretary of State the power to negate the right to object."

[Working Party Report -]

Locking horns over the care record: arch sceptic versus true believer (23 Aug 07)


"As Pulse's Common Sense on IT campaign gathers pace, veteran IT campaigner Dr Paul Thornton goes head to head with Connecting for Health's Dr Gillian Braunold in a special email debate, here published in full, unexpurgated form."

Security warning as NHS staff view celebrity record (17 Sep 2007)

Computer Weekly

"An NHS primary care trust has warned of a new risk to the confidentiality of medical records under the National Programme for IT (NPfIT), after more than 50 staff viewed the electronic records of a celebrity admitted into hospital. . . A spokesman for North Tees Primary Care Trust said the accessing of a celebrity's records took place elsewhere, not within the trust. The spokesman was unable to give any details of the incident or where it took place."

EU law could scupper Care Record (21 Sep 2007)


"Health minister Ben Bradshaw has admitted the rollout of the NHS Care Record could be banned under European law. The revelation, which comes following fierce criticism from the health select committee over the safeguards being put in place to protect the confidentiality of patient data, comes three months after Pulse first reported that the Government's IT plan could fall foul of European legislation. In a letter to an opposition MP, who raised concerns on behalf of a GP IT campaigner, Mr Bradshaw confirmed that the draft European Data Protection Directive, currently going through the European courts, would throw major question marks over the programme, if it becomes law. . . However, writing to Conservative MP for Rugby and Kenilworth, Jeremy Wright, Mr Bradshaw said the Department of Health still disputed Professor Korff's claim, although he refused to reveal details of the Government's legal advice. Mr Bradshaw said he expected the EU legislation to be amended, after consultation with European governments, adding that as a consultation it carried 'no legal weight'. However, he admitted that the working group running the consultation in Europe 'has suggested that it may be difficult to provide electronic health records with a robust legal basis.' Mr Wright took up the case on behalf of veteran IT campaigner, Dr Paul Thornton, a GP in his constituency. Dr Thornton said: 'Mr Bradshaw seems to be demanding greater privacy between him and his lawyers than he is willing to allow for patients in their dealings with their doctors. If he is so confident of the legal advice he has been given, and that he expects health care workers to follow, he should have no difficulty in publishing the advice in full.'"

Staff breaching smartcard security (17 Oct 2007)


"NHS staff routinely breach security policies on the confidentiality of patient records, a health service IT chief has admitted. The warning came as new figures revealed Connecting for Health has issued nearly 400,000 NHS smartcards - but keeps no record of how many have been lost or stolen. Philip Scott, head of IT projects and development at Portsmouth Hospitals NHS Trust, said it was common practice for staff to log on using colleagues' electronic smartcards and left activated all day, because the log on process was so cumbersome and slow. Mr Scott warned: 'Despite NHS security policies, logging on and off each application takes so long that often one hospital worker will log on to a workstation in the morning and remain logged on all day, with other people accessing information through that login. . . New figures released to Pulse under the Freedom of Information Act set out for the first time the true extent of smartcard access to patient records. Thousands of non-GPs have been given GP-profile access rights, and 22,729 individuals have been made sponsors, enabling them to approve registrations for new smartcard uses. But Connecting for Health said although it counted the number of smartcards issued, it was unaware of how many cards had been lost or stolen and subsequently reissued. . ."

You're better safe than free - the mantra of the Whitehall Taliban (21 Oct 2007)

Sunday Times

". . . Jacqui Smith, the home secretary, wants to give the police and others access to all mobile phone records - and one day possibly the satellite tracking of car movements. Smith wants to supplement this material with electronic identity cards, including personal and criminal details, and computerised medical records. If the lord chief justice and others get their way the DNA of every native of, and visitor to, Britain will be added to this mighty store. Given the number of access points - police, National Health Service, Whitehall, local councils and insurance companies - and given the ease of modern computer hacking, every Briton's life story will be open to all and vulnerable to all. One result is that millions may find it impossible to get credit or insurance cover. . . I accept that there is a case for ID cards: a few careless fraudsters and immigrants might be stopped from cheating on social security but this is not remotely worth £12 billion of public money. The case for a nationwide medical computer is equally trivial. It is that paramedics might give the wrong drug to an accident victim who has forgotten his allergies but can remember his NHS Pin number. Nobody balances a cost above £15 billion against the benefit, let alone against the general infringement of privacy and the certainty of computer hacking by insurers and others. In all these cases, ministers merely deploy the dictator's gambit that the "innocent have nothing to fear". . . The only real defence of Blair's "liberty, democracy and freedom" is to demand, constantly and tediously, that each extension of state power be justified as proportionate, cost-effective and consonant with these values. The onus should be on the executive to justify intrusion and repression, not on individuals to resist it. . ."

Security probe over Care Record crime (6 Nov 2007)


"NHS IT bosses have launched a review of security surrounding the Summary Care Record amid fears it will be targeted by blackmailers and identity thieves. Connecting for Health told Pulse the review had been ordered to assess the risk posed by so-called blaggers. The BMA warned 'highly skilled' con artists were set to seize on the care record rollout and try to trick staff into giving away private information. Dr Paul Cundy, chair of the joint RCGP and GPC IT committee, said: 'These people realise that because of the wide distribution of electronic records, it's easy to blag this information.' Dr Cundy said blaggers could come from a variety of sources, including health insurers, private investigators, blackmailers, fraudsters and identity thieves. 'They use NHS terms to sound plausible - they might call and say "my PDS is down, can you have a check on yours". 'Practice staff need to be reminded of the importance of not being duped into revealing confidential information.' A Connecting for Health spokesperson said: 'We are reviewing this threat along with a group of NHS organisations. The evolution of information systems will require the NHS to regularly review this threat."

Government claims on Care Record security 'simply false' (19 Nov 2007)


"Critics of the National Programme for IT have attacked a Government report as 'simply untruthful', after it backed security measures used in the controversial Secondary Uses Service. In its response last week to the Health Select Committee's inquiry into the electronic patient record, the Department of Health rejected calls for patients to give consent before particularly sensitive data, held inside so-called sealed envelopes, is used for research purposes. The report said: 'Patient consent to the use of anonymised or effectively pseudonymised data is not required by law.' But campaigners attacked the government's response, arguing NHS staff already access to patient-identifiable data through SUS. Last week Pulse revealed that three SUS users in every organisation within the NHS have been given access to patient-identifiable information contained with Commissioning Data Sets and Payment by Results data. Professor Ross Anderson, a world expert in security engineering at the University of Cambridge, said: 'The Department's justification is not just an evasion but is simply untruthful. They claim that the design of SUS 'ensures that patient confidentiality is protected' when it fact it doesn't. Even if you ask for your data to be kept private, three people at each of hundreds of different organisations get to paw through it.' Dr Neil Bhatia, a GP in Yateley in Hampshire, described the response as a 'farce', and Dr Paul Thornton, a GP in Kingsbury in Warwickshire, said it was 'a complete falsehood.' The Department accepted other criticisms from MPs over the Secondary Uses Service - but claimed it had 'already taken steps that will address these recommendations.' A new National Information Governance Board, which will replace the existing Patient Information Advisory Group, has been established to oversee the use of patient data in the SUS. A majority of the board's members will be members of the public recruited via 'a national public advertising campaign'. The department has also launched research into the effectiveness of pseudonymisation. Meanwhile in an exclusive interview with Pulse, GPC chair Dr Laurence Buckman this week denied the BMA had endorsed the department's plans for the Secondary Uses Service. 'Are there secondary uses for data that is collected through Connecting for Health?' he said. 'No. Patients gave that data for specific purposes, it shouldn't be used for anything else.'

Second-class and lost in the post (21 Nov 2007)

The Times

". . . It is beyond farce, past comprehension, criminally irresponsible and beneath contempt. All those lectures from government and authorities about keeping our personal data safe; every statement ever made about the security of the proposed NHS database of everybody's personal medical records; each claim that the Children's Database containing all their personal details will somehow make our kids safer; and of course each and every promise about the safety of the national identity register - exposed as quite, quite worthless. . . "

Another day, another disaster (21 Nov 2007)

The Guardian,,2214510,00.html

"Standing up in parliament yesterday afternoon, making his second emergency statement in as many days, Alistair Darling cut a battle-weary figure. No wonder. Neither the near-collapse of Northern Rock nor the loss of two CDs containing details of 25 million people are the chancellor's personal fault. . . The Treasury argues that the loss of such a colossal amount of confidential data is a purely "operational" mistake, made by another department answerable to the chancellor, but not run by him. True enough. And, hearing the details yesterday (a junior staffer couriering data over to the National Audit Office, but not registering or recording the package), it was hard to detect a strong case for a ministerial resignation, although the Revenue and Customs head, Sir Paul Gray, has stood down. But the chancellor's failure to disclose the package's loss for 10 days and his assurance that any "innocent victims" of fraud would be compensated did not smack of sure governance. . . What began as a careless slip has major implications for all government attempts to store huge amounts of personal data on its citizens - including the troubled NHS Spine, under which all our medical records would be centrally held. . ."

Crisis over lost data (21 Nov 2007)

The Herald

". . . The breathtaking incompetence of a system by which a relatively junior civil servant could download sensitive material to discs and send them as unregistered post immediately and properly prompted questions about the security of the proposed national identity cards and a central database of NHS patient records. The government suggests the biometric material that will be a component of identity cards will make them much less susceptible to fraud and that much newer technology will provide a safeguard for the patient-record database. Nevertheless, this experience will deepen the anxiety ordinary people feel about the storage of personal data required by these measures. Both should be re-examined carefully in the light of the lessons to be drawn from this calamitous failure of procedure. . ."

NHS database 'could be targeted' (21 Nov 2007)


"The man in charge of setting up the NHS medical records database has admitted that "you cannot stop the wicked doing wicked things" with information. Richard Jeavons, director of IT implementation at the Department of Health, said there were instances where staff "abuse their privileges". These had to be "pursued", he told the Commons home affairs committee. The plan to put 50 million patients' records on the database is part of a £12bn NHS IT overhaul. The scheme has raised concerns over cost and the security of information. A poll for the Guardian suggests that 59% of GPs in England are unwilling to upload any record onto the database without the patient's specific consent. Three quarters of more than 1,000 doctors questioned believed medical details would become less secure when they are put on a database that will eventually be used by the NHS and social services. . . By 2014, 30,000 GPs in England will be linked up to nearly 300 hospitals giving the NHS a "21st century" computer network. It involves an online booking system, Choose and Book, a centralised medical records system, e-prescriptions and fast computer network links between NHS organisations. . . Opponents say it is too expensive and will compromise the confidentiality of records. The home affairs committee is looking at whether the UK has become a "surveillance society". . . Government chief information officer John Suffolk told the MPs that setting up a nationwide database going across Whitehall departments and other government agencies would create more problems. He said: "When you work at a national scale, to continue to put more eggs in a single basket is a foolhardy approach." Mr Suffolk added: "The more and more you put it into a large database, with more and more people having access, it becomes more complex... "If we can avoid setting up large-scale citizens' databases, that would be a wise thing to do." The Information commissioner last year warned the UK risked "sleep-walking into a surveillance society". The committee's inquiry will include the impact of identity cards, the expansion of the DNA database and the rise in the use of CCTV cameras."

A mass movement is needed to tackle the state's snoopers (25 Nov 2007)

The Observer,,2216768,00.html

"Ministers will quickly lose their shame over the missing 25 million files and continue to stockpile our most personal secrets. There's no time to crow over the government's loss of 25 million people's details; no time to rejoice at the obvious mortification of Gordon Brown, Alistair Darling, his sidekick, Andy Burnham, Jacqui Smith and Harriet Harman. These people will not be deterred by the calamity of last week. They are shameless. In a month or two they will bounce back. The ID card scheme will be relaunched and Jacqui Smith will continue with her plans to demand 53 pieces of information from people before they travel abroad. The Children's Index, the Children's Assessment Framework, the National Health database, the ever-expanding police DNA database will all continue to scoop up information. Why? Because the control of the masses is coded in the deepest part of Labour's being. So let me just say it now: the politicians we saw ranged before us on the front bench last Tuesday, like defendants in a mass trial, are dangerous, misguided and incompetent; and they are still in a position to cause havoc. Under a plan known by the reassuringly dull title of Transformational Government, a huge process of centralisation has taken place, creating countless opportunities for security breaches, as well as abuse by the state. At the time, the government defined it as 'transforming public services as citizens receive them and demonstrating how technology can improve the corporate services of government so more resources can be released to deliver "front line" services'. Anyone emerging from this phrase with a clear meaning in their mind deserves an award, but it has resulted in the demonstration of an almost mathematical truth. The larger the database and the more people who have access to it, the greater the lack of security. Professor Ross Anderson, the leading British expert on this kind of engineering, believes it is impossible to go for scale, security and functionality without one suffering. . . Some 300,000 people will have access to the NHS database. There are already stories about the records of a well-known patient being viewed for entertainment by 50 hospital staff in the North East. 'Imagine a doctor or professor leaving a laptop on a plane that includes the entire nation's health records,' said Anderson. 'It's not impossible.' Indeed, at the last count there had been 14 lapses in major government IT projects in the last two years. It's not just about patient privacy or the outrageous decision by Whitehall to override the need to gain people's consent before their records were uploaded; a failure of the internet or large-scale power cuts could leave hospitals without access to x-rays or medical records. . . Each of us should understand that personal information is exactly that - personal - and that the government has only limited rights to demand and retain it. The scale of its operations and the innate weakness of the systems is a very grave concern to us all. What is needed - and here I hope someone is listening - is a mass movement on the lines of the Countryside Alliance, which goes across all parties and absorbs the skills and expertise of countless activists. Now is the moment to create a movement in defence of our privacy, security and freedom."

Patient 'data may go abroad' (26 Nov 2007)

The Guardian,,-7102999,00.html

"The Government is reviewing whether sensitive information about NHS patients could be sent overseas for processing, it has been claimed. GPs expressed concerns this would create a "risk to confidentiality" - particularly if records are sent to countries with a different culture of data protection. A leaked internal NHS Connecting for Health document reveals a review is under way into whether patient data could be processed by "approved organisations" abroad, according to IT magazine Computer Weekly. It is understood there are currently no plans to do this. . ."

Fears over NHS patients' records (29 Nov 2007)


"Patients' confidential medical records are regularly being accessed by people who have no right to them, research by the BBC has revealed. Figures obtained under the Freedom of Information Act reveal that in the last year there have been several data security breaches in the West. Confidential medical records should only ever be seen by doctors and nurses who are working with the patient concerned, with the government spending some £13bn to digitise the medical records of every patient in Britain. By 2010, the NHS Care Records scheme aims to have an electronic NHS Care Record for all patients. The record will detail the key treatments and care given to each of the NHS's 50 million patients. But in the last year there have been incidents in Gloucester and Cheltenham where staff have shared passwords, giving unauthorised people access to confidential records. At Bath's Royal United Hospital the same type of breach took place while breaches of security also took place in Swindon and Bristol. The North Bristol NHS Trust has reported catching a member of staff looking at friends' records, although they were just issued with a warning. . ."

A spine waiting to snap (4 Dec 2007)


". . . Today I've had a letter from Her Majesty's Revenue and Customs, somewhat apologetic in nature, although not apologetic enough for my liking. . . In the meantime, as these craven letters are being distributed to 12.5 million families, another section of our well-oiled efficient government machine is continuing with its plans to upload the medical records of the entire population to another national database. We have learned to refer to it as the national spine. No one asked for it and there was no demand for it. There is no precedent for it, and no evidence that it can be done or that there will be any benefit from it. . . My personal medical records will not be joining this ludicrous Keystone Cops experiment. Neither will those of any of my patients. It is simply not possible that our government can give us any sort of guarantee that some berk in Birmingham will not download the lot and send it to his DVD rental club by accident. About 2,000 people in Sunderland are relatively well protected, confidentiality wise, because none of their personal medical details can be divulged without their written consent and my personal supervision - and while I'm not guaranteed to be error free in every department, I'm unlikely to bugger things up on this one. I will be advising my patients to allow me to continue to protect their confidential information, because I trust me and so should they. I trust the national spine as much as I trust Her Majesty's Revenue and Customs. It will go wrong - seriously, drastically, terminally, expensively. But you knew this already." [Dr Phil Peverley]

Blind Data (8 Dec 2007)

Financial Times

A civil servant sends a couple of discs containing personal information on half the UK's population through the internal mail and they get lost. Is it reasonable to assume that if those details had not been held on two CDs but on 25m pieces of paper, they might not have been mislaid quite so easily? This widely reported "data disaster" happened just after the government published its response to the parliamentary Health Committee's recommendations about the proposed electronic medical record, a cradle-to-grave medical database available to all NHS staff, currently being piloted in Bolton. In its wake, my unease with the transfer of paper-based medical records on to electronic systems has hardened to distaste because of the threat this poses to confidentiality. Most hospital records are a mixture of paper and electronic records. Some general practices run either paper-light or paper-based medical notes, with some or almost all clinical details stored on electronic records. Currently these are mainly stored locally and are not available to be sent electronically to every other doctor in the UK. But the electronic medical record would mean that our records would be available anywhere, anytime. Supporters of the system say that if you are allergic to penicillin and are found unconscious, then it might be useful to have electronic records instantly available. But this plus point is also a danger. Electronic records are too easy to access and distribute. One of the "problems" with paper records - that they are less transportable - is, in terms of confidentiality, a strength. At least they can be locked away in a cupboard. In the case of unconscious patients and life-threatening allergies, is an electronic record really the answer? If someone is found unconscious, the doctor has to work out their identity before knowing which records to open. Far better for the person to be wearing a device that immediately alerts doctors, such as a bracelet inscribed with the medical information. The General Medical Council states: "Patients have a right to expect that information about them will be held in confidence by their doctors." But the electronic medical record does not allow for this, and it will also operate on an opt-out basis, rather than an opt-in. . . The government argues that there will be "sealed envelopes" on the electronic record, which can store sensitive information - for example, mental health problems or HIV testing - that will only be accessible with consent from the patient. But these envelopes have yet to be tried and tested and, quite astonishingly, contrary to the health committee's recommendations, the government plans itself to access this information to furnish a long-standing database. . . The government's disregard for the need for confidentiality is the reason I will ask for the opt-out code to be added to my medical notes. In my view, the depth and breadth of data capable of being accessed via the electronic record makes the loss of two CDs of bank details look trifling. [Dr Margaret McCartney]

Thousands of staff details leaked (11 Dec 2007)


Thousands of staff have had their personal details leaked after a Merseyside health care trust "accidentally" sent them out. Trade union Unite is calling for an urgent investigation into why Sefton Primary Care Trust sent staff details out to four medical organisations. The blunder includes dates of birth, National Insurance numbers, salary and pension details for all staff. The companies were bidding for services within the trust. The chief executive of Sefton PCT Dr Leigh Griffin, has sent a letter to all staff apologising for the "accidental release of their personal data". The exact number of people affected is not yet known. However the PCT said it would not reveal who the four organisations were due to "commercial confidentiality". Union officials said medical staff were concerned they would be vulnerable to fraud. They have asked all members to take precautions by examining their bank accounts, and changing their passwords. Kevin Coyne, Unite national officer for health, said: "It is disgraceful that an organisation trusted to protect the highly personal and sensitive medical details of thousands of patients can expose their staff in such a dangerous way and then deny them the information of where the information has been illegally sent. This is a clear breach of the data protection law and if it was an accident, an inquiry must be launched into how and why such sensitive information was passed on to so many external organisations."

Hospital patient records dumped in bin (19 Dec 2007)

Norwich Evening News

"Hospital records containing highly-confidential medical information about scores of sick people have been found dumped in a wheelie bin by a member of the public. The discovery of detailed information on around 30 patients at the Norfolk and Norwich University Hospital has today raised serious questions surrounding patient confidentiality. The shocking findings were made by a woman living in Bowthorpe who found several sheets of information about patients who recently attended the N&N when she went to empty her bin. The documents state the name and hospital number of each patient, along with past medical history, their nursing care while at the N&N and details of discharge plans, next of kin and referrals. Many of those affected by the security breach were very sick with medical history including ovarian, lung, breast and colon cancer, leg amputations, diabetes, liver disease and severe stomach disorders. The Evening News has today handed the documents back to the N&N, who have apologised and promised to launch an immediate inquiry. . ."

Nine NHS trusts lose patient data (23 Dec 2007)

BBC News

"Nine NHS trusts in England have admitted losing patient records in a fresh case of wholesale data loss by government services, it has emerged. Hundreds of thousands of adults and children are thought to be affected by the breaches, which emerged as part of a government-wide data security review. The Department of Health says patients have been told and there is no evidence data has fallen into the wrong hands. It follows losses of millions of child benefit claimant and driver details. The DoH said the security breaches were being dealt with locally and it did not have details of how many patients were affected. It said investigations were under way and action would be taken against anyone who had failed to fulfil their responsibilities under data protection laws. However, the Sunday Mirror reports that one of the breaches was thought to involve the loss of names and addresses of 160,000 children by City and Hackney Primary Care Trust after a disc failed to arrive at an east London hospital. . . The other trusts involved are Bolton Royal Hospital, Sutton and Merton PCT, Sefton Merseyside PCT, Mid-Essex Care Trust, Norfolk and Norwich and Gloucester Partnership Foundation Trust. Maidstone and Tunbridge Wells NHS Trust has reported two breaches meaning that 10 cases have occurred in total. The East and North Hertfordshire Trust reported a loss but has since found its missing data. One set of data, that reported lost by Gloucester Partnership Foundation Trust, consisted of archive records relating to patients treated 40 years ago - none of whom is still alive. . ."

Government in new data loss fiasco (23 Dec 2007)


"Ministers have been plunged into another data loss storm after nine NHS trusts admitted losing patients' information. Hundreds of thousands of people are thought to have been affected by the breaches of strict data protection rules by the health service. Critics said the disclosure raised fresh questions about the Government's handling of confidential personal data and the future of a new centralised IT system for the NHS. It follows anger at the loss of child benefit claimants' details by HM Revenue and Customs (HMRC) and those of three million learner drivers by a DVLA contractor. Richard Vautrey, deputy chairman of the British Medical Association's GPs' committee, suggested the Government was not serious enough about data security. "Patients need to be absolutely confident that the information that is held securely cannot be lost in some haphazard way as appears to be the case today," he told the BBC. He said the development was especially worrying given the Government's plans for a centralised NHS computer network, Connecting for Health, featuring every patient's records. . ."

NHS 'can be trusted' over records (24 Dec 2007)

BBC News

"The NHS can be trusted to handle patient information despite the loss of 168,000 patient records by nine trusts, its chief executive has said. The Tories want a planned database of 50m patient records to be reconsidered. . . Mr Nicholson said the level of security for the proposed new database system would be way beyond, for example, the level currently in internet banking. "This is a very high level of security. There isn't going to be a huge national database," he said. "What we're talking about is a series of regional databases that are connected together." Shadow health secretary Andrew Lansley said the data loss was further evidence of the government's failure to protect personal information. . . BBC News political correspondent Reeta Chakrabarti said Mr Nicholson was saying the government's plans for a national database were not what the Conservatives were saying it was. A series of regional databases linked together did not sound all that different from what the Tories were themselves suggesting, she added. . ."

Privacy tsar warns over data losses (24 Dec 2007)


"The series of data security breaches that has seen the personal details of tens of millions of people lost is pushing Britain to a "tipping point" over how such records are handled, the information commissioner has warned. Richard Thomas demanded "clearer accountability" and responsibility from organisations holding personal records following the loss of files by government departments and public bodies. He was speaking as the NHS chief executive, David Nicholson, insisted that patients' medical records were not at risk after it emerged that nine health trusts had lost the records of 168,000 people. . . Thomas, in a veiled criticism of the government, said failure to keep personal information secure put organisational credibility at risk and undermined public confidence and trust. "Right across the piece people here have got to take personal information a great deal more seriously. In the last few months people have got to a tipping point where they are suddenly taking data protection far more seriously," Thomas told the BBC. "What this has brought home to everybody is the importance of clear accountability and responsibility to make sure to get it right." He warned data protection was about "credibility" and not just complying with the law. The loss of medical records was "particularly sensitive" given the confidentiality enshrined in the doctor-patient relationship, he said. Thomas has raised concerns with NHS managers about the government's Connecting for Health project, which is intended to make patients' records accessible by computer to NHS professionals across the country. "They have got to be absolutely certain they have identified all the risks and are managing these very carefully indeed. Any mass loss of data from centralised databases would be very catastrophic, but medical information is of particular sensitivity," he said. Nicholson insisted that Connecting for Health would rely not on a single centralised database, but on linked regional databases, which he said would enhance security. Clinicians and other NHS employees would be able to access details only with a secret user name, password and smartcard, and access would be "role-controlled" so that each user saw only a relatively small number of patient records relevant to their specific area of work. . . Professor Ross Anderson, a computer security expert at Cambridge University, criticised systems allowing an entire database to be accessed by one individual. "The question is not whether the data was encrypted or password-protected but the deeper question of why is it that somebody has access to 160,000 children's records. Surely that's not right." The NHS revelations prompted the Tory shadow health secretary, Andrew Lansley, to call for the planned single database of 50 million patient files to be scrapped in favour of a network of local ones."

GPs' electronic records to go live despite data loss (7 Jan 2008)


"Electronic patient records held by GPs are to be made available to hospital staff for the first the first time this month, just weeks after the NHS had to admit losing hundreds of thousands of patient records. Moves to press ahead with the rollout of the Summary Care Record came as a pressure group claimed 200,000 people were already preparing to opt out of the programme because of fears over confidentiality breaches. More than 110,000 patient records in Bolton and Bury have now been uploaded to the spine. Staff working for local out-of-hours providers already have access to records, and A&E staff at the Royal Bolton Hospitals will follow 'within weeks.' But patient concerns over confidentiality have been heightened after nine NHS trusts admitted losing data on hundreds of thousands of patients. . ."

Patient confidentiality and central databases (Feb 2008)

British Journal of General Practice (Ross Anderson)

"2008 may be the year when GPs find themselves in the firing line over confidentiality, as ever more patients try to opt out of 'the NHS database' and the Government tries ever more desperately to keep the project on track. But I believe this should not be seen as a problem, but an opportunity - a once-in-a-lifetime chance to make a decisive change. GPs, by acting as the patient's advocate, can not merely retain patients' trust and defend their professional autonomy, but also rescue health policy from a serious wrong turn. Public concerns about the centralisation of health data have grown in recent years, especially since the press took up the issue in 2006. In November that year, a poll revealed that 53% of patients opposed a central medical records database with no right to opt out [1]. At the same time, a report for the Information Commissioner (of which I was an author) described government plans to share health information on children widely with other services, including social services, schoolteachers and the police. It concluded that the proposed measures were both unsafe and illegal [2]. In September 2007, the House of Commons Health Committee called for more information to be published on the proposed design, and for data placed in 'sealed envelopes' to be withheld from the Secondary Uses Service (SUS) - a suggestion that the Department rejected . . . Several national databases of identifiable health information already exist, ranging from the Prescription Pricing Authority's records of all prescriptions to SUS which contains identifiable data on finished consultant episodes in secondary care and from which the Health Committee believed patients should be entitled to opt out. Other national services have recently been built, such as the Picture Archiving and Communications System that centralises the storage of digital X-rays, and there are many plans for further data sharing in the public sector: the children's databases described above are to be followed by similar systems for the elderly and the mentally ill. Without robust consent procedures and effective opt-outs, these systems will make it increasingly difficult for a patient to get any kind of NHS care without appearing on central databases. . . Britain needs to turn over a new leaf in healthcare IT. As in the Netherlands or Sweden, central government should restrict itself to setting standards for interoperability and maintaining an approved product list. GP Systems of Choice are a useful step in the right direction, but we need a real transfer of power away from the centre and to the people in the best position to tell suppliers what new systems should do. That means local rather than central purchasing - and by the practice or hospital, not the PCT. This is how things are moving overseas: no country is as centralised as the UK, and almost everywhere there is more progress. . ."

Security fears on missing NHS smartcards (6 Feb 08)


"Thousands of NHS smartcards have already gone missing, raising fresh fears over the security of patient data held online, a Pulse investigation reveals. After requests to hundreds of NHS bodies under the Freedom of Information Act, Connecting for Health revealed 4,147 smartcards had been reported missing - 1,240 last year alone. At least 142 have been stolen, including 17 in one area - Hammersmith and Fulham PCT. Smartcards have now been issued to 438,314 NHS staff, although the number of users is eventually expected to top 1.2 million. Information obtained by Pulse suggests the number of missing cards could be higher than NHS chiefs admit. Among 221 NHS bodies replying to FOI requests, 2,887 cards were reported missing, including 1,400 last year alone. Extrapolating from this, the number of missing cards would be closer to 6,000. Connecting for Health insisted its data is accurate, with multiple reporting explaining the discrepancy in the figures. Either way, Pulse's investigation shows an alarming lack of attention to security. In almost every case, lost or stolen smartcards were reissued automatically without investigation, and no disciplinary action has been taken against any staff member. One trust in 10 admitted it had no idea how many cards had been lost or stolen. Professor Ross Anderson, a security engineering expert at the University of Cambridge, said: 'You can't expect stuff to remain confidential if a few hundred thousand people have access. There will be several hundred at any time who've lost their smartcards and thousands who leave terminals logged on or share cards in other ways. 'There just isn't either the culture or incentives for trusts to investigate data compromises properly.' A Connecting for Health spokesman said: 'As soon as a smartcard is reported lost it is disabled. It cannot be used by anyone finding it without a six-digit pin number, which is issued directly to users.' This week a BMA poll found that nine out of 10 doctors have no confidence in the Government's ability to safeguard patient data online."

Who Do They Think We Are? (Feb 2008)

Centre for Policy Studies

". . . NHS computerisation: a study of the failure of personalisation: The Government's scheme for 'personalisation' of the NHS through a central database demonstrates the enormous practical and ethical difficulties inherent in such projects. Described by the National Audit Office as "wider and more extensive than any ongoing or planned healthcare IT programme in the world...the largest single IT investment in the UK to date", the scheme was launched in 2002 and has already cost more than £2 billion (of an estimated £12 billion). Yet according to the Public Accounts Committee it is already two years behind schedule with no firm implementation date. The medical profession has expressed unease about the risks to patient privacy. A poll for The Guardian in November 2007 found that 59% of GPs in England would be unwilling to upload any record onto the database without the patient's specific consent. Three quarters of doctors surveyed said that medical records would become less secure on the proposed database. More recently a survey for The Times found that more than three quarters of doctors are either 'not confident' or 'very worried' about the possibility of data loss from the proposed database. When asked how well they thought that local NHS organisations would be able to maintain the privacy of data, only 4% of doctors said 'very well.' The majority, 57%, said quite or very poorly. Members of the British Medical Association are currently supporting a campaign to encourage patients to opt out from the database. A pro forma letter has been produced for patients to send to their GPs to stop their records being included on the new system. This follows much confusion and uncertainty over likely consent arrangements. Following opposition to an 'opt-out' system, the current proposal from the Department of Health is for a hybrid system where patients will have to 'opt-out' from the Summary Care Record (containing basic information) and 'opt-in' for more detailed records to be uploaded. Concerns over access to these potentially sensitive health records were fuelled when the director of IT implementation at the Department of Health told a Select Committee that "you cannot stop wicked people doing wicked things" with information and admitted there are occasions when staff "misuse their privileges" with data. It was recently reported that more than 50 members of an NHS hospital's staff had illicitly viewed the medical records of a celebrity, adding to concerns about the potential misuse of a national database. Meanwhile the Government Chief Information Officer John Suffolk has echoed the concerns of the Information Commissioner: The more and more we put it into large databases where more and more people have access to it, it becomes more complex. I think there is a balance to be struck, but clearly what we want to avoid doing is creating yet another large-scale citizen database when we have a number of those already because that would not be a wise thing to do. . ."

NHS database must go ahead, say MPs (25 Feb 2008)


"The chairman of the House of Commons Health Committee has brushed aside the confidentiality fears that have delayed the £12.5bn NHS summary care record database plan. Labour MP Kevin Baron attacked medical professionals for propagating "palpable nonsense" in suggesting the government will profit by selling the intended 60 million health records to pharmaceutical and insurance companies. He also accused the British Medical Association (BMA) of "scaremongering" with claims earlier this month that people were wrongly accessing records through the network. "My issue with some BMA members is that that is not a reason not to go ahead with using IT to bring health into the 21st century," he said in a Westminster Hall debate last week. "I am not a clinician, but one could well argue that not having a central database could be a matter of life or death." Baron said it was not going to be possible to stop all unauthorised access to patient records. But "sadly" the problem affects manual records now, he said. Patients have to accept that "people other than the doctor are likely to access some of their records for purposes of looking after their interests", said Baron. The question is what action should be taken against fraudsters. Barron argues in favour of the plan for electronic "sealed envelopes", within the record, containing information the patient wanted to keep confidential. Health Minister Ben Bradshaw said the government "strongly supports the committee's recommendations about having stiffer penalties for breaches of the Data Protection Act." He blamed delays "pretty much entirely because we took extra time to consult on and try to address record safety and patient confidentiality." Patients will have the right to see their summary care record, and challenge and correct any errors, he said."

We don't need a high-tech Domesday Book (25 Feb 2008)

Daily Telegraph

". . . Until very recently, it was a central tenet of government that data held by one department should not routinely be available to another. Indeed, many Acts of Parliament specifically outlaw data sharing because of concern that the state would be able to obtain a comprehensive picture of an individual's life when it had no need to. Yet these considerations have simply been brushed aside in the past few years, and anyone questioning why this is happening is regarded as a conspiracy theorist or a Luddite. There is now an assumption that the state should know everything about us and be able easily to access that information. This is justified as being good for us because it facilitates the provision of services that may be to our advantage, and on the grounds that anyone who is unhappy with the prospect must have something to hide. It is in the nature of states to want to obtain and store information about their citizens. They have been doing so since the year dot in order to tax them; but retaining vast amounts of detailed personal and private information has been nigh on impossible in any democratic state. Totalitarian ones have been more successful, relying on spies and bureaucrats to keep their records up to date. But information technology now allows democracies to collect and keep the sort of data about us all that more malign regimes of recent history would have killed to possess, and possessed to kill. Simply because the technology is available does not mean that the central issues of personal freedoms and privacy have gone away. If anything, they are more important than ever. The blithe acceptance that our identity is something that the state should possess, in the form of our DNA or fingerprints or iris biometric or health records, is misguided, though there will clearly be times when it is to our benefit that it should. . . Then there is the NHS computer system that will enable our electronic health records to be accessed centrally, which sounds like it must be a good thing until you consider the implications for people's faith in the confidentiality of the consulting room if the wrong people see the information. In a recent poll of GPs, more than 90 per cent said they were not confident patient data would be secure. Furthermore, none of them was asked before the Government decided that it was going to make our most intimate information readily available and many are opting out of the system. Why did ministers not look at the opportunities provided by IT from the other direction, from the point of view of the individual? Instead of spending £12 billion to upload all our health records to an insecure national database, or to a centrally accessible "spine", we could each be issued with a card, which we would keep for ourselves, and every time we visited the GP or a hospital, the details of our consultation would be downloaded from the doctor's computer. We would then be free to carry it with us - or not to, as we chose - wherever we went and the information would be kept between us and our GP. This would be less intrusive, far less expensive, would mean we "owned" our private information and would meet one of the often-overlooked requirements of liberty, which is the right to be private. What we are now witnessing with this explosion in the number of centrally controlled databases is the development of something awesomely intrusive, the creation of a gigantic high-tech Domesday Book to take down all our particulars and track us from cradle to grave. If by rejecting any notion of a universal DNA database, the Home Office now recognises there is a line to be drawn, then that is to be welcomed. The debate we need to have is not about how to expand the database state but what we can now do to limit and reduce it."

Police to be allowed searches of national database of NHS patient records (28 Feb 2008)

Computer Weekly - Tony Collins IT Projects Blog

"News analysis: It went largely unnoticed but the minister for the NHS's National Programme for IT, Ben Bradshaw, has confirmed that data on a central database of millions of confidential health records will be made available to police where there is an "overriding public interest". The phrase "overriding public interest" is not defined. Some people will say "So what? If police can better protect us by accessing health records we should be grateful the technology is now being provided". Others may say that allowing police access to the national electronic database of patient records information is a step towards allowing access to other public authorities, such as social services; and later on private organisations, including employers and insurance companies. Officials at the Department of Health would argue that every access to the records leaves a flag in the audit trail. But we will be reporting on evidence shortly that NHS staff may not have the time to check increasingly long audit trails of electronic healthcare records. . ."

Patient database open to access by non-qualified NHS staff (29 Feb 2008)

Computer Weekly

"A new national database of confidential patient records is being opened to access by NHS staff who need no professional qualifications - despite official assurances that records will only be accessed by specialists who are providing care or treatment. A document obtained by Computer Weekly under the Freedom of Information Act also provides evidence that NHS Connecting for Health - which runs part of the £12.4bn National Programme for IT [NPfIT] - has quietly decided to weaken assurances given to patients about the confidentiality of records. Doctors are angry because they say that patients were given an assurance that non-clinical staff would be unable to access the national summary care record database which is being trialled at NHS trusts in various parts of England. The document from Bolton Primary Care Trust, the first of the trial sites, says that patients were mailed leaflets informing them about the summary care record, a national database which will include the names of patients, medication history, serious illnesses and allergies. The leaflets being used in the "early adopter" trials at Bolton and at other sites tell patients the benefits of having a national database but also give them the option of "opting out" of having their records uploaded. One gave specific assurance to patients that receptionists will "not need to see your full clinical records". But after the leaflets were mailed to thousands of patients it was discovered that receptionists at Royal Bolton Hospital's Accident and Emergency department had been looking at the patient records, then printing them to add to the casualty record card. GPs involved in a trial of the NPfIT summary care record said they did not want receptionists to see clinical files unless patients were contacted again and told of a change of plan. Bolton Primary Care Trust has decided to change the procedure at hospitals to allow healthcare assistants - sometimes called nursing auxiliaries - to view the care records database instead of receptionists. But GPs say healthcare assistants usually have no professional qualifications and are not clinical staff treating patients. Paul Cundy, spokesman for the British Medical Association's GP IT committee said the papers obtained by Computer Weekly showed there has been an "erosion of the confidentiality of patient records that we feared would happen". He said that healthcare assistants were in essence "trained receptionists"."

Healthcare assistants' access to SCR defended (4 Mar 2008)

e-Health insider Primary Care'_access_to_scr_defended

"Connecting for Health has defended the decision to allow healthcare assistants to access Summary Care Records (SCRs) in accident and emergency departments. Royal Bolton Hospital's A&E department has been criticised by BMA IT representative Dr Paul Cundy after a document, released under the Freedom of Information Act, revealed that healthcare assistants are asked to print out SCRs for clinicians. Dr Cundy, chairman of the BMA's GP IT committee, told the BBC's Today programme that such a practice "breaches all common concepts of privacy and confidentiality." However, Dr Gillian Braunold, CfH's clinical director for the SCR, claimed the policy had been approved by the SCR Advisory Group, which includes BMA membership. . . Dr Braunold said CfH did not dictate to NHS organisations which groups of staff should access records, leaving it to local organisations to decide for themselves following their own information governance procedures. . . When GPs in Bolton discovered that receptionists were printing out records for clinicians in the A&E department, they demanded that the PCT write to patients again to tell them of the change in plan. The PCT decided to change the procedures to allow health care assistants to print out the records. , , Dr Cundy told EHI Primary Care that it was unacceptable for patients to be told that only clinicians would access their record sand then for that position to change within a few weeks of the early adopter site going live. . ."

FOI papers reveal more lessons from Bolton NPfIT trials (19 Mar 2008)

Computer Weekly - Tony Collins' IT Projects Blog

"Papers released by Bolton Primary Care Trust under the Freedom of Information highlight some of the lessons learned from its trial of the NPfIT summary care records system. . . "Officials were surprised by the number of leaflets on the summary care records which were returned because the recipients had changed address - which increases the risk of patients having their medical information uploaded to the data "spine" without their knowledge or consent. The papers say that the returned mail was "a lot larger than anticipated" - up to 3%. . . "If a search is performed for any patient on CSA [the clinical spine application which allows NHS staff controlled access to the national Care Records Service], the software will give consent status as "Implied Consent". For any patient who [is] not yet part of SCR early adopters, this is incorrect, as implied consent implies they have been informed about SCR. . . GP systems continue to be affected by performance issues, and the source of these performance problems is still to be totally identified and resolved. . . Local public reaction is really unpredictable at present [to the summary care record] but is likely to be mixed. . . There are many duplicate records within the Adastra [out-of-hours] system run by Bolton Out of Hours. If OOH continue to generate duplicate records there is a risk that Summary Care Records usage may be impacted as there will not be easy access to NHS number, if original record is not found." Separately Bolton has reported "excellent progress" on its trial of the summary care records."

CfH says SCR audit trails 'clunky' (25 Mar 2008)

e-Health Insider Primary Care

"Connecting for Health has acknowledged the audit trail facility in the first Summary Care Record pilots 'has been clunky', after minutes from the board of Bolton PCT expressed concerns over the functionality. Problems are reported with the time required to review audit trail alerts - created by the SCR system. In official minutes, a member of Bolton PCT's SCR board branded the amount of time required to use the audit trail functionality as 'ridiculous'. The ability to track and review who has viewed a patient's summary record is one of the key security features of the SCR. According to papers released by Bolton PCT under the Freedom of Information Act to Computer Weekly magazine, the PCT, one of the SCR early adopter sites, had difficulties keeping up with alerts on its audit trails. The magazine reports the board papers saying: "[Name unknown] is having to put a lot of time into this task and, at the moment, we do not have all that many alerts coming in as the system is not being used to its full potential yet. [Name unknown] felt that the audit trail is ridiculous and asked how they hope to be able to manage it nationally. "[Name unknown] informed the group that NHS Connecting for Health had envisaged that this task would take one day per week for each primary care trust which [name unknown] pointed out is still a great deal of time. At the moment it is taking [name unknown] around an hour to look at 10 alerts." CfH's clinical director of the SCR, Dr Gillian Braunold, told EHI Primary Care that the audit trail facility was not yet working in the way that she hoped it would. . ."

290 patient safety incidents reported under NPfIT scheme (25 Apr 2008)

Computer Weekly

"NHS trusts have reported nearly 300 incidents that put patients' safety at risk since 2005, when the National Programme for IT began systematic records. The disclosure provides evidence that new IT systems in the health service can put the safety and health of patients at risk if they fail or are used wrongly. Maureen Baker, national lead for clinical safety at NHS Connecting for Health, revealed the incidents at a conference in Harrogate. "We have had just under 300 incidents in two and half years," she said. "They cover just about every area that CfH has activity in." It has also emerged that ministers launched the NPfIT in 2002 with no formal structure for identifying incidents that could affect patient safety. Many of the incidents reported under the safety scheme centre on radiology information systems and picture archiving and communication systems (Pacs), which allow digital X-ray images to be stored, retrieved and distributed to computer screens. One incident involved two NHS trusts that had connected Pacs systems. Both used similar ID numbers to store and retrieve images, but some numbers were duplicated, so sometimes a correct number would retrieve the wrong X-ray image. There have also been incidents of drugs "mis-mapping", which could lead to the wrong drugs being given, or a clash of medication occurring. NHS Connecting for Health, which runs part of the national programme, put a new structure for reporting incidents into place only after DNV consulting compiled a highly critical - and unpublished - risk assessment of the safety of the NPfIT in 2004. Speaking at the HC2008 conference, Baker said there had been a big improvement in mechanisms for reporting incidents and dealing with them since 2005, three years after the launch of NPfIT. . . Last year the partner of a patient who died in hospital complained to the General Medical Council that X-rays on a Pacs system may have been mixed up. She told Computer Weekly she is waiting for a date for a judicial review over whether there should be a fresh inquest. It is not known whether this was one of the 290 incidents that put patients' safety at risk. . ."

Urgent review of SCR consent model recommended (6 May 2008)

e-Health Insider

"The independent evaluation of the Summary Care Record has recommended an urgent review of its implied consent model and questioned whether a national system should be rejected in favour of a series of linked smaller systems. The 138 page report on the SCR early adopter programme raises a series of issues to which it recommends that Connecting for Health pays urgent attention, including a review of the existing consent model. In response Connecting for Health has promised that the SCR Advisory Group will urgently consider the report's findings. A statement from CfH adds: "The report provides a number of important learning points, particularly on the question of patient consent to use the Summary Care Record, and the need to retain a clear focus on the purpose and scope of the Summary Care Record as it is implemented." The evaluation team from University College London, led by Professor Trisha Greenhalgh questioned the continued use of the existing consent model which allows initial SCRs to be created on an implied consent basis after patients have been sent information about the SCR programme and their right to opt-out. The report says its own investigation confirmed the findings of an early adopter practice which withdrew from the programme after conducting its own survey which concluded that patients remained ignorant of the basic issues despite receiving information. It said that in more than 100 interviews conducted with patients a high proportion did not recall having received information about the SCR or HealthSpace despite an extensive public information programme. The report adds: "The fact that much of the individual resistance within GP practices has come not from IT-ignorant 'laggards' but from Caldicott Guardians who are generally the most information-literate members of staff and certainly the formal custodians of the practice's data adds weight to the argument that the current consent model should be urgently reviewed." The evaluation team recommends that the SCR Programme Board and Advisory Group should look particularly at the 'consent to view' model which is used by both Scotland and Wales and means patients must give their explicit consent to view the record at each encounter. . . The evaluation report raises a series of questions about several other key aspects of the SCR programme. It said there was some resentment among PCTs that CfH allegedly pushed forward on a tightly-managed and largely non-negotiable timetable for implementing the SCR despite the fact that not all software contractors had delivered key technologies to agreed schedule. The report also states that although the technical security measures of the SCR appeared to meet high standards "there remain unresolved questions raised by experts about whether a series of linked smaller systems would be safer than a large single system and whether the plans for operational security will be fully enforceable in the busy environment of the NHS." The UCL team also criticised the SCR team within CfH for taking what it described as a narrow focus on implementing technology rather than a broader focus on socio-technical change. . ."

NHS puts brakes on electronic record system - In the face of criticism (14 May 2008),3800010403,39221435,00.htm

The NHS has pledged to halt the further roll out of its electronic patient record system while it takes stock of criticisms in a report. A report evaluating the trial rollout of the Summary Care Record (SCR) system highlighted concerns that the system was clunky, interfaces poorly with other systems and was being foisted upon patients without their full knowledge. Connecting for Health (CfH), the NHS body responsible for delivering the £12.7bn overhaul of NHS IT including SCR, says the system will not be rolled out until an advisory group reviews any changes that are needed in light of the report. The University College London report found that about 610,000 patients had been approached about being placed on the system in the four trial areas it looked at and that while most staff were broadly enthusiastic, SCR was widely seen as too complex and that some had given up on using it "until it works better". There was resentment among some staff that CfH had forced a tightly managed timetable on the primary care trusts for implementing SCR "despite the immaturity of the technical solutions". A spokeswoman for CfH admitted that one GP's surgery had given up on using the system. She said: "SCR will continue to be implemented in the early adopter areas, although they will not be rolled out beyond these areas until the Summary Care Record Advisory Group has considered the findings of the report and decided what, if any, changes need to be made to the SCR programme." The British Medical Association says the SCR breaches confidentiality as currently patients' details are put on the system unless they opt out and backs the report's recommendations to change the ability to opt out. . .

Politics pushing NHS scheme (15 May 2008)


Early adopters felt under pressure as Connecting for Health pushed the project forward to meet targets. An influential report into the Summary Care Records (SCR) component of the £12.4bn NHS National Programme for IT (NPfIT) suggests that political agendas are still affecting rollout of the scheme. . . Although the report was focused on SCR, the wider political context has been hard to ignore, according to report author Trisha Greenhalgh. The study found that early adopters felt under pressure as Connecting for Health (CfH), the NHS agency responsible for rolling out NPfIT, pushed the project forward to meet targets. "If you make unrealistic expectations, people just aren't physically capable of finding the time to do the things you're asking of them, and that means they will resent the project," said Greenhalgh. Scepticism in the clinical community means that CfH must consider the report findings carefully. But political pressure to keep the already delayed project on time and on budget means CfH must exert a certain amount of pressure on all parties to keep the scheme moving, said Greenhalgh. The same dilemma applies to another controversial part of the scheme - the consent model of the summary care records. The current model means that those who do not opt out of the scheme implicitly agree to have their records shared with any clinician but people in early adopter sites did not understand the implications, according to Greenhalgh. . . The case-by-case model is used in Wales and switching plans would require a degree of technical refitting by CfH. But this is a workable and necessary solution, according to Chaand Nagpaul, of the British Medical Association's GP prescribing committee. "The model of implied consent is not fit for purpose. It is possible to modify the model and this is the line that should be taken," he said.

GPs vote to halt Care Record Service development (16 Jun 2008)

e-Health insider

GP representatives overwhelmingly backed a motion to call a halt to development of the NHS Care Records Service at the BMA's annual Local Medical Committees conference on Friday. LMC representatives backed a motion expressing no confidence in the government's ability to store electronic patient records safely. They also backed calls to support patients who wish to opt-out of the Summary Care Record (SCR), and a motion calling for a halt on any further development of plans to develop Care Records Service plans. Proposing the motion was Dr Mike Ingrams of Hertfordshire LMC, who told the representatives: "In view of the government's unparalleled reputation for not being able to store records safely, the GPC must put a halt on any further development of a centrally-held patient record and promote locally held interconnected storage instead." Sections of the audience agreed with Dr Ingram's calls with many shouting 'Hear, Hear'. Other LMC members also backed the proposals, calling for the BMA to stop working with the government on development of patient systems until security promises were fulfilled. A call for the BMA's General Practitioner Committee (GPC) to boycott working with the government until all concerns about consent and confidentiality are addressed was rejected. . . The audience also voted to continue to follow BMA policy that no patient medical data should be added to the national database without patient consent and pledged to continue to encourage GPs to support patients should they wish to have their details withheld from the Spine. . .

30,000 NHS records lost as seven laptops stolen (18 Jun 2008)

Daily Telegraph

Laptops containing the personal details of more than 30,000 NHS patients have been stolen in two separate thefts. Sensitive data was been stored on laptops in defiance of rules; 30,000 NHS records lost as seven laptops stolen. More than 20,000 records were held on computers stolen from a south London hospital. In Wolverhampton, a laptop holding details on around 11,000 patients has been stolen. The missing data includes names, addresses, NHS numbers and, in the Wolverhampton theft, personal medical histories. In both cases, sensitive data had been stored on laptops in defiance of rules that are meant to protect such records from theft or loss. The disclosures follow the revelation earlier this week that Hazel Blears, the communities secretary, had stored confidential Government files relating to counter-terrorism on a laptop that has since been stolen from her constituency office. Of the two NHS thefts, the incident in Wolverhampton appeared to be the more serious, since the computer concerned contained detailed medical records and was not protected by any form of encryption. The laptop concerned was stolen from the car of an unnamed GP, according to Wolverhampton City Primary Care Trust. Some 11,000 patients have now been sent letters apologizing for the incident. . . In London, thieves stole six laptops from St Georges Hospital in Tooting. Three contained the first and last names, date of birth, postcode and hospital number of around 21,000 patients. The theft took place between 6 and 9 June, but St George's Healthcare NHS Trust only made the incident public yesterday. In an internal email to its staff, the St Georges trust said he "acknowledges that patient data should not have been stored in laptops." The laptops had been used as temporary storage, it said. Hospital managers said the patient data was protected by passwords and held in "hidden" files. . ."

Private companies could get access to millions of NHS medical records (20 Sep 2008)

Daily Telegraph

"The Government is considering giving firms access to a massive computer database which will contain the records of almost every man, woman and child in England. The information is a goldmine for private companies, who could use it for medical research or for helping them to sell products to the NHS. But privacy campaigners say they are "horrified" by the proposals which could see patients' postcodes, medical conditions and treatments - and in some circumstances, their names - passed on to third parties without their consent. The database, part of a long-delayed scheme to give NHS staff access to computerised medical records, will hold details of almost all visits by patients to hospitals and GPs. The plans have been dogged by controversy. Last week. ministers gave in to pressure from privacy campaigners and agreed that medics will have to gain the consent of patients before opening their computer records. Yet patients will have almost no control over the same information being passed on to companies and other bodies outside the NHS. The Department of Health says most records passed onto third parties would be made anonymous, but admits that identifiable data - which could include patient names - could also be handed on if it was deemed to be more useful. Security experts said the scheme would "hoover up" vast quantities of confidential data which could easily be traced back to individuals, whether or not names and addresses or other personal details were removed. Ross Anderson, Professor of Security Engineering at Cambridge University, said: "We have had a lot of debate about patients being able to opt out of the national scheme for patient records, but meanwhile the Government have pulled a fast one. There are no limits set on the way this data can be used; this database will hoover up all the personal medical data on every person, and it can be used for whatever the Secretary of State says it can be used for." . . . The Government public consultation on secondary uses of NHS data, which began without publicity on Wednesday, has been outsourced to a private company called Tribal, which holds contracts to organise the planning of NHS services. Its managing director Matthew Swindells was until recently chief information officer of the DoH, and before that adviser to then health secretary Patricia Hewitt. A spokesman for Connecting for Health, the government agency which oversees the patients records scheme, said that while "in theory" anonymised data could be used to trace an individual, researchers would be more likely to examine records in batches of hundreds of thousands at a time. He described the matter of whether information should stay within the health service, or ever go outside for research - to academic researchers or pharmaceutical companies - as a "valid question" on which the consultation sought public opinion. The agency's chief operating officer, Professor Michael Thick, said patients would be able to be removed from the so callled "secondary use" database if they made an application under the Data Protection Act. Under the proposed system, third parties would need to request information from the central database, and fulfil requirements set by data custodians and ethics committees."

Consent to view explored for detailed records (23 Sep 2008)

e-Health Insider Primary Care

"The new consent to view model for the NHS Summary Care Record in England may also be applied to the detailed care records held by NHS organisations. NHS Connecting for Health is to explore how the principle of 'consent to view' - announced as the new model for the SCR last week - could work when patients' detailed care records are accessed. Dr Gillian Braunold, clinical director for the SCR, said the consent to view principle was being explored for cases in which information generated and held by one organisation was made available to another. It would not apply to records generated and held within one organisation. "The principle of whether or not you could bring in consent to view before you look at records, when you wouldn't normally expect the information to be available, is what is being explored." The current consent model for detailed care records means patients must give their explicit consent for information to be uploaded, but not for it to be subsequently viewed. South West Essex Primary Care Trust, the sixth early adopter site for the SCR, which has yet to go live, has already said that the consent model for detailed care records held by SystmOne must align with the consent to view model for the SCR. Dr Braunold also told E-Health Insider and E-Health Insider Primary Care that she hoped the first hospitals would be able to upload discharge letters to the SCR at the end of the year. The software would include sealed envelope functionality to allow hospitals to withhold information that patients did not want uploaded. CfH is also working with out-of-hours IT provider Adastra to enable information from out-of-hours encounters to be uploaded, she said. The information uploaded to the Spine for the SCR from GP records will remain medicines and allergies. However, GPs will have discretion to add significant past medical history. In the future, Dr Braunold said England hoped to follow Wales in introducing an 'exclusion dataset' that would mean particularly sensitive information, such as details on HIV, sexually transmitted diseases and terminations, could not be inadvertently sent to the SCR. The technical amendments needed for the SCR are due to be delivered through BT's Clinical Spine Application in release 2008b, which will be in place before Easter 2009, according to Dr Braunold. The SCR is due to be rolled out nationally in 2009-10."

NPfIT minister was wrong in reply on records leaving NHS (10 Nov 2008)

Computer Weekly - Tony Collins' IT Projects Blog

"The minister in charge of the National Programme for IT [NPfIT] has given an incorrect reply to a Labour MP who asked in the House of Commons about a disclosure on this blog that 300 million confidential patient records have left the NHS for an academic organisation. Ben Bradshaw, the minister in charge of the NPfIT, was unwittingly incorrect when replying to a question by a Labour MP, David Taylor, who is a former IT manager. Computer Weekly had revealed that nearly 300 million confidential medical records have transferred officially from the government to an academic organisation outside the NHS. But in the House of Commons on 4 November 2008, Bradshaw gave the impression to David Taylor that all the records were anonymized before leaving the NHS. This is incorrect. The Patient Information Advisory Group, a statutory body, has authorised an academic organisation outside of the NHS, the Dr Foster Unit, to receive patient-identifiable information. The Dr Foster Unit has received patient-identifiable information on nearly every stay by patients in hospitals in England, and visits to an accident and emergency department. Also within the patient records transferred to the Dr Foster Unit were 215 million confidential files on visits to outpatient departments. The Dr Foster Unit, which is part of Imperial College, anonymizes the information before passing it to a separate organisation, Dr Foster Intelligence, which is funded by the NHS and Dr Foster. . ."

NHS medical research plan threatens patient privacy (17 Nov 2008)

The Guardian

The privacy of millions of NHS patients will be critically undermined by a government plan to let medical researchers have access to personal files, the health information watchdog told the Guardian last night.

"The prime minister and Department of Health want to give Britain's research institutes an advantage against overseas competitors by opening up more than 50m records, to identify patients who might be willing to take part in trials of new drugs and treatments. They are consulting on a proposal that is buried in the small print of the NHS constitution that would permit researchers for the first time to write to patients who share a particular set of medical conditions to seek their participation in trials. It would result in patients receiving a letter from a stranger who knew their most intimate medical secrets, which would be regarded by many as a breach of trust by doctors who are supposed to keep information confidential. It raises the prospect of a letter being opened by a relative, which could cause embarrassment. Harry Cayton, who is about to take over as chairman of the National Information Governance Board for Health and Social Care, the new watchdog on use of NHS data, said the proposal is "ethically unacceptable". He said: "There is pressure from researchers and from the prime minister to beef up UK research. They think of it as boosting UK Research plc. They want a mechanism by which people's clinical records could be accessed for the purposes of inviting them to take part in research, which at the moment is not allowed. I think that would be a backward step. "It would be saying there is a public interest in research that is so great that it overrides consent and confidentiality. That is not a proposition that holds up." . . . His board has written to Alan Johnson, the health secretary, asking for the proposal to be quashed. A health department spokeswoman said last night: "We are consulting on the NHS constitution to ensure that the final version is fit for purpose. We welcome the board's valuable comments and will consider them alongside other responses. We expect to publish our response shortly." . . . Cayton, the government's former patient tsar, brokered a compromise in 2006 after the Guardian criticised plans to place the medical records of every patient in England on a national electronic database, known as the Spine. Ministers conceded that patients should have the right to opt out if they were concerned that their personal data might fall into the wrong hands. He said: "The manner in which the Guardian raised the issue was frustrating at the time, but you can look back and see that it was in the public interest in the broadest sense. It caused people to have a discussion and there are benefits in having informed public debate." Cayton's board was set up by legislation this year. It will take over from the Patient Information Advisory Group, established after a scandal at Alder Hey children's hospital involving illegal storage of children's tissue samples. It will advise on issues involving consent, confidentiality, security and data sharing in social care as well as health."

NHS trying to access GPs' patient records by stealth (2 Dec 2008)


"NHS organisations are attempting to use data extraction systems to access patient records from practice systems without the permission of GPs. Pulse has learned of a series of incidents across the country where GPs have been forced to take action to prevent their records from being accessed remotely. It comes just a week before the end of Connecting for Health's consultation on the Secondary Uses Service. In Cornwall, mental health provider Outlook South West had planned to upload data on mental health service uses - including NHS numbers - to a central computer system operated by the Improving Access to Psychological Therapies programme. Patient data was to have been extracted from practice systems on an implied consent basis and shifted onto the PC-MIS information system based 350 miles away at the University of York. But Dr Matthew Stead, chair of Cornwall & Isles of Scilly LMC, said local GPs were opposed to data being sent without explicit patient consent. . . Elsewhere Manchester LMC has sought advice from the Information Commissioner over similar concerns relating to PCT plans for secure data extraction from GP systems. The LMC warned it had fears over 'risk of sabotage', 'the ability of the PCT to follow the rules of access' and 'mission creep, if the PCT begins to think it owns the data'. GPC leaders warned in a separate incident in Shropshire, a practice had discovered its system was being accessed externally by several healthcare workers without its knowledge. Dr Fay Wilson, a GPC member and GP in Birmingham, said: 'If people can just tap in when they feel like it, without letting us know, it could be happening all the time.'"

Data 'lost' in rush to create NHS database (5 Dec 2008)

Health Care Republic

"Patient data may have been lost as the DoH rushed to create an NHS patient database, the BMA's representative on the new National Information Governance Board for Health and Social Care (NIGB) has said. Dr Tony Calland, who is also chairman of the BMA ethics committee, said NHS Connecting for Health (CfH) had been 'pushing ahead with all kinds of IT solutions without really considering how information governance was going to work'. 'It was under pressure from the DoH, which was under pressure from higher up the line,' he said. Dr Calland said he feared that, as a result, there had been 'a great deal of leaking around the edges before anybody started to look at becoming more restrictive with data'. He said other threats to privacy, such as councils selling electoral rolls to private companies, were far more serious. The NIGB became a statutory body in November. It has powers to investigate and monitor the security of NHS records.However, it will have no powers of enforcement, except to report its findings to regulators or the secretary of state. Dr Calland said that CfH had now begun to appreciate the need for better data security and patient consent. 'Since the HMRC debacle (in which HM Revenue and Customs mislaid 25 million sets of personal details), the loss of personal data is slowly becoming a hanging offence,' he said."

Researchers want access to patient data without consent (17 Dec 2008)


"Exclusive: Medical researchers could gain access to fully identifiable patient records without GPs and patients even knowing, under proposals by the UK's two largest research organisations. The hugely influential Wellcome Trust and Medical Research Council are lobbying the Government to allow authorised researchers to search GPs' records without explicit consent. Under the plans, patients eligible for clinical trials could be contacted directly by researchers and asked to take part. The proposals raise the prospect of patients being invited to participate in a trial without being aware that information about their diagnosis had been passed on. It is precisely the scenario Harry Cayton, chair of the National Information Governance Board for Health and Social Care, warned against last month. He said: 'There is pressure from researchers and the Prime Minister to beef up UK research. They want a mechanism by which people's records could be accessed to invite them to take part in research. That would be a backward step.' . . . But doctors' groups warned giving researchers access without consent would undermine the trust of patients. The BMA said explicit consent 'should be the norm' for use of patient-identifiable data, and the RCGP warned 'permission for use of identifiable data should never be assumed'. The GMC said: 'Disclosing personal information about patients without consent to allow others to invite them to join studies involves a breach of confidentiality.' Dr Neil Bhatia, a GP in Yateley, Hampshire, said: 'The Wellcome Trust does appear to think it has some God-given right to access everyone's data without consent. It comes across as supremely arrogant.' Dr Trefor Roscoe, a GP in Sheffield, said: 'If people were contacted out of the blue by researchers many would be astounded that third parties had access to their information.' Bodies responding to the consultation were divided over other aspects of the Government proposals, including flagging the records of patients willing to be contacted by researchers and the use of pseudonymised data. The BMA said there was a need for 'better understanding' of pseudonymisation and warned: 'Some NHS bodies and researchers interpret linked anonymised data very loosely, for example with name and address removed but still containing NHS number, date of birth and postcode.'"

Data watchdog urged to examine legality of NHS database (19 Jan 2009)

e-Health Insider

"A GP who is campaigning against the NHS Care Records Services is calling on the watchdog for NHS data to examine the legality of the government's proposals for the NHS database. Dr Paul Thornton, a GP in Warwickshire, has written a 15 page report ( for the National Information Governance Board for Health and Social Care (NIGB) on the legal status of the NHS database. Dr Thornton wants the NIGB to force the Department of Health to publish its legal advice on plans for the Summary Care Record and to get that advice updated in the light of subsequent legal rulings. Dr Thornton told EHI Primary Care that the need to examine the legality of the NHS database had become even more important following the publication of the Coroners and Justice Bill last week. The Bill aims to amend the Data Protection Act to enable greater sharing of information across government departments. Justice Secretary Jack Straw said it was intended to help fight crime and improve public services but opponents claimed it marked a further step towards a Big Brother state. . . The government obtained legal advice on the SCR when it carried out a ministerial review of its proposals in 2006 but has since refused to release it. Dr Thornton also has an outstanding Freedom of Information Act appeal with the Information Commissioner arguing for release of the legal advice. In his report Dr Thornton welcomes the NIGB's criticism of DH proposals to allow health professionals to use care records for research purposes without patient consent, outlined in the Board's annual report in November. At the time Harry Cayton, the board's chair, told the Guardian newspaper that plans to give researchers access to patient information to recruit for medical trials was "ethically unacceptable." Dr Thornton said: "The standards now being demanded by the NIGB are already enshrined in UK law to an extent that the government cannot renege on as easily as it intends." Dr Thornton argues that European and UK law adds up to "at least a persisting reasonable doubt" with regard to the lawfulness of NHS Connecting for Health (CfH) proposals including the implied consent model for the SCR and the wider sharing of information on detailed care record systems. . ."

GPC member leads mass care record opt-out (1 Apr 2009)


"A senior GPC member is among a group of rebel GPs who have automatically opted out thousands of patients from the Summary Care Record over confidentiality fears, Pulse can reveal. A string of practices across the country have decided to conduct a blanket-opt of all their patients, and allow those who want a Summary Care Record to opt back in - a move which puts them on a direct collision course with Connecting for Health, currently overseeing the national rollout of the scheme. Last November a Pulse survey of 314 GPs found one in five planned to automatically opt out all of their patients when the Summary Care Record reached their area. Now the threats are becoming action. Dr Prit Buttar, chair of the GPC's Practice Finance Sub-Committee and a GP in Abingdon, Oxfordshire, said his practice had harboured concerns about the Summary Care Record project since it was first launched. All patients at the practice have had two read codes added to their records - '93C3 - refused consent for upload to national shared electronic record' and '93C1 - refused consent for upload to local electronic record'. 'To date, I'm not aware of a single patient who's said "actually I'd rather be on the record",' said Dr Buttar, adding that he hoped other practices would follow his example. 'I would really encourage people to have a good hard look at the facts. It seems to me a vastly expensive hammer to crack a very thin shell, and it doesn't really seem to have that much clinical usefulness.' GPs elsewhere are also conducting automatic opt outs. The Ivy Grove surgery in Ripley, Derbyshire, has told patients: 'To ensure the data of our patients remains safe, we have decided that by default, patients should be opted out of the NHS Spine, until such time that their active consent has been gained.' Dr Neil Bhatia, a GP in Yateley, Hampshire who has publicly campaigned against the Summary Care Record, said more than 1,900 of his patients had explicitly opted out even though his practice had pledged not to upload records without seeking consent. 'My feedback has been universally positive,' he said. . ."

Summary care record is indelible (7 Apr 2009)

e-Health Insider Primary Care

"Patients who do not opt-out of the Summary Care Record prior to one being created for them will not be able have their record deleted later, it has been revealed. If a patient subsequently opts out of the SCR their record will be 'masked' and become inaccessible by NHS staff, but it will not be deleted. The reasons given by the DH are a combination of medico-legal requirement, to preserve a future audit trail; and technical explanation that the way the system has been prohibits deletion of individual records. The clarification on the indelible nature of each SCR comes in a response to a Freedom of Information request made by GP Dr Neil Bhatia last month. Dr Bhatia, who is vigorously campaigning against the system, requested details of the mechanism by which patients at Bury PCT could get their uploaded SCR completely deleted if they had initially opted-in to the system and later changed their mind. In its response to Dr Bhatia's FOI request the PCT said: "If the patient changes their mind later, after a record has been created, we have to retain a copy of the record for audit trail since it may be required to demonstrate the reasons behind a previous clinical decision. "However, the SCR would be made unavailable from the moment that the patient no longer wished it to be used, so that no access is possible in a care situation. Therefore, there is no form available to have the record completely deleted if the patient has a record created in the first place." The response goes on to explain that the 93C3 read code, which is used to identify patients who do not wish to have an SCR, means that when the record is synchronised with the national Spine database, a blank care record will replace the existing SCR for that patient. However, this does not delete the original record, but instead 'masks' it. . ."

You've Been Uploaded (1 May 2009)

Private Eye

"The government's NHS database grows apace in its so-called pilot areas, despite its legality being cast in doubt by the European Court and, more recently, the Rowntree Trust. . . in six pilot areas (aka "early adaptors"), the government has already allowed primary care trusts (PCTs) to upload the so-called summary care records (SCRs) of some 248,000 patients - almost certainly without the knowledge of the vast majority. At one south Birmingham practice, for example, the records of more than 11,000 patients have been put on the database. Only 38 people were canny enough to opt out. To do so, they have to surmount various hurdles. . . When given full information about the database by wary GPs, virtually no one has allowed their records to be transferred. For example, at the Oaklands practice in east Hampshire, not one of the 11,500 patients have asked for their records to be transferred. Dr Neil Bhatia, the so-called Caldicott Guardian charged with data protection in the area, has decided that only those who give their express consent will have a summary care record on the system. Accordingly, no one did. The difference between the patients in south Birmingham and east Hampshire seems to be obvious. Those unlucky enough to be in the pilot areas are on the system; those with conscientious GPs scandalised by various government data cock-ups are not."

NHS patients given right to delete electronic record (26 May 2009)

The Guardian

NHS patients will be allowed to delete electronic summaries of their treatment records from a new national medical database, the Guardian has learned. The decision represents a significant concession in data protection policy following talks between health service officials and the Information Commissioners' Office (ICO). Until recently the Department of Health had resisted pressure from sceptical patients and doctors critical of the security risks generated by confidential records being transmitted across the NHS broadband computer network known as the Spine. Last month, officials described the cost of deleting individual summary care records (SCRs) from the system as prohibitive. The Department of Health had offered instead to "mask" or "suppress" unwanted files, making them difficult to access - a process that would nonetheless leave personal details on the database. SCRs are being introduced as part of an NHS-wide initiative being rolled out across the country to provide clinical staff with information on those they treat. Any doctor or nurse will have instant access to a summary of a patient's past medication, adverse drug reactions, allergies and conditions - which could be useful if that patient is unconscious or unable to recall vital details. SCRs are also being used to record confidential treatment requests including end of life plans, where people ask to be allowed to die at home or enter instructions such as "do not resuscitate". Pilot schemes began in Bolton and Bury, and so far more than 280,000 SCRs have been created nationally. The Department of Health says that 98% of people who have had the advantages of SCRs explained to them are in favour. But Dr Gillian Braunold, a medical director of the programme, acknowledged that "a significant minority" of people "don't want to have a summary care record". The new position, she said, was that "the deletion option is there if [individuals] are not happy - They can choose to have [their SCR] deleted physically." The only exception would be if the patient's SCR file had already been used, in which case it would be archived for "medico-legal" reasons, she added. . . The dispute was resolved in talks between the ICO and CfH. The former has traditionally taken the position that personal information that is no longer required should be deleted.

Google or Microsoft could hold NHS patient records say Tories (6 Jul 2009)

The Times

Health records could be transferred to Google or Microsoft under a Tory government, The Times has learnt. Patients will be given the option of moving their medical notes to private companies after the Conservatives said that they would replace Labour's "centrally determined and unresponsive national IT system". The Tories hope that users will be able to choose from a range of private sector websites, possibly including those operated by Bupa, the healthcare provider. This has raised issues of privacy and security, with MPs and health professionals warning it could hamper doctors' ability to access medical records quickly in an emergency. It has also raised questions about the party's links to Google. Steve Hilton, one of David Cameron's closest advisers, is married to Rachel Whetstone, the company's vicepresident of global communications and public affairs. Mr Cameron flew to San Francisco to address the Google Zeitgeist conference in 2007 at the company's expense. Five months ago, it was announced that Eric Schmidt, Google's chief executive, was joining a Conservative business forum to advise on economic policy. The drive is the first concrete proposal to emerge from the Tories' "post-bureaucratic age" agenda, in which citizens would be given more government information in order to make choices about public services. . . The final decision has yet to be taken, and the Google Health and Microsoft HealthVault services that are currently available in the US would need overhauling before they could work in Britain. The Conservatives have not worked out what would happen to the data of those who do not want their medical records handed to the private sector. The source added: "We are 100 per cent certain there will not be an exclusive deal with one provider. We fully expect multiple providers that will almost certainly be free to users." Norman Lamb, the Liberal Democrat, said: "It leaves a nasty taste in the mouth that there are repeated references to Google given the closeness of Team Cameron to that organisation, and it leaves concerns about commercial advantage being taken." A spokesman for the Conservative health team declined to comment.

Police probe breach of NHS smartcard security as e-records launched in London (16 Nov 2009)

Computer Weekly

An NHS trust at the forefront of work on the £12.7bn NHS IT scheme has called in police after a breach of smartcard security compromised the confidentiality of hundreds of electronic records. Patients in Hull have expressed their dismay that an unauthorised NHS employee has accessed their confidential records; and the local primary care trust, NHS Hull, says it is "shocked" at the breach of security by a member of staff who has since left. Details of the breach emerged as health officials in London were, in an unrelated event, telling journalists about the start of a roll-out of electronic records across London, as part of the National Programme for IT [NPfIT]. The roll-out is part of plans by the Department of Health to create for 50 million people in England an electronic "summary" medical record on a central database run by BT. But doctors say that the breach of security at NHS Hull shows that an insider with a smartcard can access confidential electronic records without authorisation, if the person is determined to do so. They say that this will deepen the scepticism of some doctors that centrally-held medical records will remain confidential under the NPfIT. Before the advent of NPfIT central databases individual medical records were retained by GPs or by NHS trusts in specific areas. GP Paul Cundy, a former spokesman on GP IT for the British Medical Association, said of the Hull incident: "This confidentiality breach, in one of Connecting for Health's showcase systems, highlights the inherent dangers of the Summary Care Record and all shared record systems. This is alarming news, but precisely what was predicted." Kath Tanfield a director at NHS Hull who is in charge of IT, says: "It is shocking to us that an individual who takes on a public service role and who agrees to abide by strict confidentiality agreements should go on to abuse their position and violate patients' rights to privacy". Hull has been working with NHS Connecting for Health and the NPfIT since 2004, in part on implementing a shared electronic health record. NHS Hull has also also working with Connecting for Health on the pseudonymisation of the controversial Secondary Uses Service - in which identifiable health records are partially anonymised so they can used for research purposes by non medical staff. Hundreds of millions of patient records have been uploaded to the Secondary Uses Service database. Every patient visit to a GP or hospital is recorded on the system. NHS Hull, in a joint presentation with NHS CfH, has conceded in the past that the security of pseudonymised data represents a potential data problem. In the security breach, an employee was authorised to use collated and anonymised patient data during the course of the person's day to day work, but was not authorised to access individual patient records. After the person left, however, NHS Hull discovered that the person "inappropriately accessed identifiable medical records. The trust says: "A total of 358 patients [registered at] GP practices have been affected by this." The trust has written to the patients whose records were looked at. It says it is cooperating fully with a police investigation which is now underway.

London GPs make it easy for patients to “opt-out” of central NPfIT database (25 Feb 2010)

Computer Weekly

London GPs are taking collective action which will make it easier for their patients to "opt-out" of having their medical details uploaded to a central database run by BT as part of the National Programme for IT [NPfIT]. The action is likely to be seen by the Whitehall officials as an attempt to hinder the roll-out of the Summary Care Record to six million patients in London. If many patients opt out of the scheme, the summary care records database may end up being used little or not at all by thousands of doctors and nurses. A letter is being sent to GPs by the London-wide group of Local Medical Committees, Londonwide LMCs, a trade association for general practitioners. It expresses concern about the "very short period" which primary care trusts and NHS Connecting for Health are giving patients to choose whether to opt out of having an central NPfIT "summary care record". As part of a national roll-out of the summary care record, patients who do not respond to a leaflet from their primary care trusts on the benefits of a central e-record are having some medical details uploaded to a central "spine" database which is run by BT, with Oracle as its subcontractor. Patients who "opt-out" will have their records kept solely under the control of GPs. The letter from the Londonwide LMCs says: "Many patients will have worries which they will wish to have addressed, and many may not bother or may ignore the letters [from primary care trusts on the summary care record scheme] and miss their chance to opt out from the start." Londonwide LMCs are making available online a poster for GP surgeries which gives patients simple advice on opting in or out of the summary care records scheme. The organisation is also encouraging GPs to "be more proactive and contact patients directly, or via patient participation groups, or via the practice website and text system if you have them". The letter of the Londonwide LMCs adds that doctors have a duty to ensure that patients make an informed choice. A Londonwide LMCs factsheet for patients quotes the British Medical Association as saying that "patient medical records should not be uploaded without explicit patient/carer consent". The Department of Health's NHS Connecting for Health, which runs the £12.7bn NHS IT scheme, discourages patients from opting out. Its leaflet warns that patients could endanger their lives by opting out, because key medical information may not be available to doctors when it's needed. NHS Connecting for Health insists that patients who wish to opt out must sign a disclaimer. But London GPs are making it easier to opt out. The poster asks: "Do you want your medical records to stay confidential to this practice, or to be uploaded to the NHS central record system, the NHS "spine"? If patients are unsure what to do, or want "to be in control" of their health information, they should opt out, in which case, says the poster, "Sign opt-out form at reception". If patients want, in an emergency, "other healthcare staff" to see what medication they are on and "future health information" they need do nothing, as their data will be uploaded. One GP said that the poster and other action by the Londonwide LMCs represents a "complete lack of confidence in the Summary Care Record and fundamental confusion and reservation about the ethics of transferring records onto the SCR without the confirmed explicit consent of each patient".

NHS database raises privacy fears, say doctors (7 Mar 2010)


Doctors' leaders are warning government ministers that the NHS is jeopardising its relationship of trust with patients by creating a vast database of personal medical records. GPs say they fear patients' rights are being overlooked, that "scaremongering" is being used to get people's agreement for the database, and that hackers could illegally access the central computer. The NHS wants more than 50 million people in England to agree to the creation of an individual summary care record (SCR). The idea is to improve the quality and safety of treatment provided by hospital staff and out-of-hours doctors by giving them access to information usually only held by a patient's doctor. Initially, such records will list any drugs a patient is taking, allergies they have and previous bad reactions to medicines, but eventually they will cover most of a patient's medical history. The British Medical Association is writing to Andy Burnham, the health secretary, to say that, while it supports the idea in principle, it has serious concerns. "I think the rights of patients are not being respected," said Dr Grant Ingrams, chair of the association's information technology committee. It is about allowing patients to decide what information about them is used. This is information that belongs to them and may include embarrassing information." The NHS is introducing the records using a policy of "implied consent" - patients are assumed to agree to the creation of a record unless they refuse. Ingrams said that about 10 million patients have already received patient information packs. The BMA wanted these to include an opt-out form. But Connecting for Health (CfH), the NHS body running the £600m scheme, refused. Instead, patients who do not want to participate have to get an opt-out form from their GP or request one by letter, helpline or website. Isabella Sankey, director of policy at Liberty, the human rights organisation, voiced serious concern about the summary records. "There would have been very good arguments for clear public information and an opt-in policy for this scheme. "But the worst of all worlds is to alleviate political criticism by providing a so-called opt-out which is inaccessible and virtually meaningless. How do you expect people to trust you with their most sensitive and private information if they can't even trust you to be honest in trying to gain their consent?" Some 1.24m records have already been created and another 8.9 million patients have received a letter about the programme, according to the Department of Health. A record will be automatically created for each patient after 12 weeks unless they specifically withhold their consent. Dr David Wrigley, the BMA council member for Lancashire and Cumbria, said: "How do we know that people have received the material in the post? Doctors in my area wanted a tear-off strip to be included at the bottom of the letter for patients to fill in and hand in to their GP's surgery to say no they didn't want a SCR, but CfH told us we couldn't do that." Katherine Murphy, director of the Patients Association, said summary records could improve the care patients receive, but that they should all be given an opt-out form. There should also have been a national advertising campaign so people could start thinking whether to participate or not, she said. Some doctors accuse the NHS of trying to scare patients into agreeing by claiming that future medical care could be impeded if they refuse. The opt-out form asks the patient to acknowledge that any future treatment may suffer if they do not have a summary record. "There is no evidence to say that is the case. It is scaremongering," one London doctor said. . .

One in six GPs snub care record (2 Jun 1010)


Exclusive: GPs are boycotting the rollout of the Summary Care Record in their droves, in a move that casts serious doubt over the rollout of the project, a Pulse investigation reveals. Among practices specifically invited to join the rollout, one in six has refused to do so, according to figures obtained under the Freedom of Information Act from 91 PCTs. In 36 areas which have begun the rollout and provided complete figures, 1,732 practices have been invited to participate - with 286 so far declining to take part. In some areas, half or more of practices have refused offers to sign up, amid fears over confidentiality, lack of patient awareness and the huge workload in uploading records. In NHS North Lancashire, where all 38 practices have been invited, only one has formally signed up to a pilot, while in NHS Cambridgeshire, which began contacting practices in December, just 37 of 77 have shown interest. In other areas, PCTs appear to have ridden roughshod over GPs' concerns - writing to all patients to offer them a care record without the backing of some local GPs. NHS Peterborough wrote to all its patients in March - even though five practices have yet to agree to participate. A spokesperson for NHS Hammersmith and Fulham said: ‘We haven't invited any practices to take part - it is not GPs' choice, it is patients' choice. All [practices] have been informed of our plans.' But in other areas, PCT support appears to be wavering, with some, such as the Torbay Care Trust, having no plans to begin a local rollout until the end of 2011 at the earliest. NHS Buckinghamshire appears to have rejected the rollout entirely, arguing the care record is not fit for purpose. It said: ‘Although NHS Buckinghamshire believes a summary and shared record of some form is required to support new pathway-based working, at present, Connecting for Health's Summary Care Record does not meet those requirements.' The investigation also reveals huge variation in spending on the care record rollout, over and above the £7.5 million of central funding Pulse revealed earlier this month. While some PCTs claimed to have spent nothing, or to have incorporated costs within existing budgets, others have spent thousands on training, project management and advertising. NHS Dorset, one of the early adopters, said it had spent £190,000 on the rollout, and expected to spend a further £70,000. It has so far uploaded 159,580 records - although none have yet been used. Dr Neil Bhatia, a GP in Yateley, Hampshire, and a long-time critic of the Summary Care Record, said: 'If the care record was as ground-breaking as Connecting for Health makes out, patients would be demanding it from their GPs, practices would be screaming for it from their PCTs and trusts would be banging on their SHAs' doors insisting on it.'

Personal tools