Wednesday, November 01, 2006

NHS data rape hits the headlines

The media has finally woken up to the dangers of the NHS scheme to put details of all UK citizens' medical treatment into a massive government database. Today's Guardian leads with the headline 'Warning over privacy of 50m patient files', and includes a guide to how you can opt out of the system.

I am going to try the Guardian's suggested direct approach, because so far I have been fobbed off by the NHS while trying to stop my medical record going into this database. The latest letter I received from the Department of Health is below.

Richmond House
79 Whitehall London
Tel: 020 7210 3000

1 September 2006

Dear Mr Brown,

Thank you for your further letter of 22 August to Dominic Ward in response to his reply of 3 July. Your letter has been passed to me for reply.

You reiterate your request for your name to be removed from all secondary processing of your personal health information. I recognise that you feel strongly about your rights in respect of this issue.

In your correspondence you raise a number of important issues, including patient rights in respect of data processing, the NHS Care Records Service, NHS confidentiality standards, and NHS staff behaviour. I will deal with each of these in turn. You also raise a number of specific questions which I have sought to address, following consultation with policy officials at the end of what will inevitably be a rather lengthy reply.

Patient rights in respect of data processing

The instructions that you provided in your letter of 22 August are based, on a presumption that as a patient you are able to instruct the NHS on what are essentially matters of general health service management or administration. In the debate on 16 June 2005, Caroline Flint was referring to a specific patient who had elected to withdraw from NHS care and who had demonstrated that she met criteria in Data Protection legislation that meant that continuing to hold data about her was not considered to be warranted. Ms Flint made it clear that we have significant concerns about the provision of care for patients who make the same choices as the patient at the centre of that debate. No-one will ever be denied access to healthcare, but everyone receiving NHS care will need to have a record of their contact details in the new IT systems. This is necessary to satisfy legal requirements, but is also important for patient safety and efficient management of services. I will explain this in more detail below. The extent to which clinical information is held will depend upon the care provided, but care can only be provided to patients who consent to that care and its record keeping implications.

You rights in respect of information that can identify you are provided by common law obligations of confidentiality, and by Data Protection and Human Rights legislation. Taken together, these provide a robust framework for protecting the rights of individuals but they do not prevent processing of information in all circumstances, not do they provide any general right for individuals to instruct or direct those who process information.

Doctors are required to keep records and the organisation that they work for, be it a GP Practice or a Hospital Trust, is required to ensure that information is held securely and that confidential information is not shared inappropriately. As a patient, you do not have the right to determine: the media on which the records are kept (eg on paper or in computer systems); the physical location of the information; or who manages those systems. Your GP, therefore, does not have to seek your approval if he/she decides to keep records about you on a system supported by the local Primary Care Trust, or indeed a system supported by any other part of the health service. However, you can complain if your confidentiality is compromised.

In certain circumstances, it may be possible to persuade a clinician to record items of information on paper or on stand-alone systems, but many types of care will in future depend upon information being shared through these systems, and for these it may never be possible to agree alternatives.

NHS Care Records Service

It will be necessary for some information to be held about everyone who is a patient of the NHS. In particular, contact details must be held to:

  • satisfy legal requirements for registers of which patients are under the care of each GP Practice;
  • to ensure that each individual presenting for care is ordinarily resident in this country and therefore eligible for free care;
  • to ensure that information about one patient does not become confused with that of another patient; and
  • to contact patients when they need to attend for check-ups and follow-up appointments.

Similarly, if a patient is admitted into hospital it will be necessary to hold administrative details within local elements of the NHS Care Records Service in order to manage the period spent in hospital, assign the patient to a ward and a bed, and to keep track of blood tests and the like, Core components of care such as laboratory tests and radiology results will be in future only be available within the NHS Care Records Service systems. There will not be an alternative system available for local clinicians to use when providing NHS care.

The means by which information will be fed into the non-local element of the NHS Care Records Service is still being developed, but you will be provided with more information about this through a letter drop in advance of the systems being introduced in your area, and informed who to contact to express your preferences at that time.

NHS confidentiality standards

The NHS recognises that confidentiality and privacy are fundamentally important to individuals and strives to provide a good service. The standards that are required to be followed in the NHS are set out in the Department of Health publication Confidentiality: NHS Code of Practice, which can be found by visiting:, and typing the title in the search bar, and again more succinctly in the NHS Care Record Guarantee published by Ministers in April 2005 and updated in July 2006, which can be found at:

The responsibility for complying with those aspects of the law that underpin these guidelines rests with local organisations and complaints about any failure to meet the standards must be address to local NHS organisations through the established complaints procedures. Information about the NHS complaints procedures can be found by visiting the Department’s web-site at and typing ‘Complaints about the NHS in the Search Bar’ (sic).

When the new NHS Care Records Service systems are fully deployed, there will be a range of new controls in place. Staff will only be able to access systems and records if they have a current secure smartcard and valid pass code – these are issued to staff by newly created Registration Authorities that verify the identity of staff and control the issue of smartcards. No one will be able to access your clinical records unless they are working in a team that is providing you with care. If there is information in your records that you do not want to be shared even within this controlled environment, you will be able to place extra restrictions on who can see it. There will be exceptional arrangements for overriding your restrictions in case you are unconscious or if a Court requires disclosure of the records, but in these exception circumstances the system will generate an alert to ensure that an appropriately senior member of staff is informed and can properly investigate the occurrence. You will be able to specify whether you want your identifiable clinical information to be shared between different organisations and your specification will be held within the system. A record will be kept of everyone who accesses information about you.

In addition, up-to-the-minute security protection has been incorporated, across the system, and international security standards are applied across all system implementations. These include the use of encryption to communication links between systems, and to user interfaces with systems. The quality of both the logical and physical security of data centres is assured using both international and British standards, and all systems suppliers are contractually bound to auditing their adherence to these.

Over and above these implemented safeguards, the NHS maintains an effective liaison with the UK’s information security authorities and others for the sharing of relevant advice and guidance on known information security threats and vulnerabilities.

NHS Staff Behaviour

As staff are registered to use the new NHS Care Records Service systems they are required to sign a form binding them into explicit terms and conditions relating to patient confidentiality. Any abuse of systems or the data they contain is taken very seriously. The Department of Health has provided guidance to the NHS to the effect that any breach of confidentiality should be subject to disciplinary action and fully supports the Information Commissioner’s proposals to seek increased penalties for unlawful use of data about individuals.

Local NHS organisations are responsible for the actions of their staff and there are local complaints procedures in place to investigate issues and concerns raised by patients. The Department of Health cannot intervene in these locally managed processes, but does provide guidelines on how they should operate. If local procedures fail to resolve a complaint, there is also the possibility of taking matters further, for example, to the:

Healthcare Commission (;
General Medical Council (;
Health Ombudsman at (;
Information Commissioner at (;
or through civil action in the Courts.

Specific questions

i. Validation of data: It is the responsibility of the individual clinician to ensure that electronic data they have entered or transferred to a new or replacement electronic system is correct. For example, GPs already frequently transfer patient records to another GP when a patient changes their address or GP. An electronic facility to assist this process is currently under development – the ‘GP2GP’ record transfer service. This will reduce the amount of re-keying required by enabling the direct transfer of the electronic component of a patient’s existing care record.

The Data Protection Act 1998 establishes a set of principles with which users of personal data must comply. These include the duty to ensure that information is accurate and up to date. This duty would extend to individual GPs and other clinicians when transferring local electronic records, or transcribing or scanning paper records, to the NHS CRS. Guidance for transcribing paper records developed by the Royal College of General Practitioners and issued by the Department of Health makes it clear that responsibility for the quality of the necessary processes lies with the individual practice.

When the NHS Care Records Service is deployed locally, a senior clinician – for example, the principle practitioner in a GP practice – is responsible for approving the transfer of data. This only occurs after industry-standard testing procedures have demonstrated that the data has been safely transferred. Verification is by a series of quantitative and qualitative pre- and post-validation checks that ensure that the data stored on the new system is the same as the original.

It is considered to be good practice for NHS Trusts and GP Practices to preserve the existing paper records. The facility exists to easily store a case note reference on the electronic system that allows ready identification of the paper record where this may be required.

ii. Whilst the basic web architecture and functionality required for patient access to their electronic care record already exists, the timing of its widespread availability is linked to the roll-out of the NHS Care Records Service itself. In general, implementation is being achieved in carefully managed stages, via incremental rollout both geographically, and by increasing functionality over time to build the care record.

The approach, in line with best practice, is to implement new services incrementally, avoiding a ‘big bang’ approach, and to provide increasingly richer functionality over time. However, full access to elements of the NHS Care Records Service as described in our previous reply should be generally available by mid-2008.

iii. Correction of errors: prior to the introduction of the Data Protection Act 1998, patients had a rights under the Access to Health Records Act 1990 to have their concerns or objections noted in records even where the holder of the record did not agree. This legal right was lost when the data Protection Act replaced the Access to Health Records Act, but has been sustained through good practice guidance to the NHS. However, this is not a simple matter, as there are significant medico-legal implications to deleting health information, even where it is incorrect, if someone has relied upon it to make a decision. The key issue here is the potential need to be able to demonstrate that a misconceived clinical decision, based on erroneous ‘facts’, may nonetheless have been a valid decision, whatever its unfortunate consequences. This can be a matter of vital important where, for example, clinical negligence is alleged, and where the unfetter right of a patient retrospectively to expunge incorrect information in the name of ‘data protection principles’ could leave clinicians exposed to false accusations of incompetence or wrong-doing.

iv You ask about the evidence the Department holds on the risk of avoidable death or inappropriate care resulting from lack of, or inability to share, key patient information. Evidence is extensive in both the academic literature and from operational experience. Conspicuous examples include:

  • “The root cause of 27 per cent of medication errors is poor information availability” (Building a safer NHS for patients: Improving Medication Safety, DH, January 2004);
  • “1,200 people die each year in England and Wales as a result of medication errors, costing the NHS £500m a year” (A spoonful of sugar: medicines management in NHS hospitals, Audit Commission, December 2001, p4);
  • “10% of patients on medical wards experience an adverse effect, 46% of which are judged to be preventable. One third of adverse events lead to greater morbidity or death. Each event leads to an average of 8.5 additional days on hospital.” (British Medical Journal, 2001; 322: pp517—519); and
  • the instant transfer of images to a remote PC via Picture Archiving and Communications Systems (PACS) linked to electronic patient management systems reduces diagnostic waiting times and unnecessary repeat X rays.

There is, in fact, no substantial body of medical opinion in this country or abroad that suggests that modern electronic records and clinical communications systems do not have massive potential to cut through the demands and problems caused by the complexity of 21st century medicine, and significantly to reduce the causes, and the human and financial cost, of medical errors.

I hope this fuller information helps allay your concerns.

Yours sincerely,


John Kelly
Customer Service Centre
Department of Health


Anonymous said...

Interesting to read such a lengthy justification from the DH; particularly the issue that we have no right to say where or how our records are stored. I've already blogged that I think The Guardian is taking the wrong approach: more safeguards are needed, rather than a mass opt-out which will render the system unworkable for everyone.

Guy Barry said...

I guess its closer and closer to a big brother society

Anonymous said...

some of this letter sounds exactally the same as some I got. Some of it are word for word the same. When I started reading it, I thought it was my letter/email that had been put on.

You would think they would do more than just copy and paste the same old rubish. Comments made by CfH and Mt Cayton to me by email/letter seem to be in contrast to the claims that relevant data is not available. Copies available if requested (there are a few by the way)