The dangers of databases

The Joseph Rowntree Reform Trust is today launching a report, “Database State”, which examines the rationale, security and consequences of 46 public sector databases. It is co-authored by Ross Anderson, professor of security engineering at Cambridge University, who is an outspoken critic of government databases.

The results are startling. Two databases, the NHS Detailed Care Record and the Secondary User Service (which holds summaries of treatment and is supposed to be used for administration and research) are given a “red light” rating. This means, according to the report, that they are “almost certainly illegal under human rights or data protection law and should be scrapped or substantially redesigned. The collection and sharing of sensitive personal data may be disproportionate, or done without our consent, or without a proper legal basis, or there may be other major privacy or operational problems.”

When I spoke to Prof Anderson yesterday, he had much to say on the subject, which he has been researching for almost 15 years. He told me that since about 1995, the Department of Health “has focused on driving control of medical records from doctors to government. It [the Dept of Health] has behaved as though doctors are impeding progress of the evolution of health”.

In Scotland, there has been one main supplier for computerised medical records – the General Practice Administration System for Scotland, or Gpass. Though the system is government sponsored, Ross doesn’t see this as an advantage. He believes that “it has rapidly fossilised. The only interest in upgrading the service has been to put into practice what the civil service has wanted.”

Anderson was adamant that centralised control is “going to be disastrous for medical records”. He gave me an example from Nuffield hospital in Oxford: “[They] put in the new system – and they found that records were suddenly kept on a remote server rather than locally. The server went down in Swindon, and they couldn’t access any records, and therefore couldn’t do any operations.”

But it is not the logistical minutiae of centralised records that concerns Anderson the most. He is more worried about whether they are a good idea in the first place. “In medicine, you have to make sure that the systems are responsive to needs. This is not like a McDonald’s franchise. Medicine is so complex that you can’t [have a "one size fits all" electronic medical record]. Also, when you look at hospital medicine, there are dozens of little specialities, and each wants its own best of breed system.”

Such choice is not going to be possible under the NHS’s new “Connecting for Health” plan. Anderson is also concerned about the plan’s feasibility. “You can build a system for security, or functionality or scale. If you are very good you can maybe do two out of the three. But not three. A GP centre with 10,000 records can cope with risks, maybe there will be a problem with confidentiality once in a career there. At least it is limited and local. But once you get to 50 million records with a large pool of access to them, you can’t realistically expect them to stay confidential”.

There have already been cases where NHS workers have accessed records they had no reason to look at. The few who fail to respect confidentiality will have access to more records, not less.

Connecting for Health says that it will be hugely beneficial to be able to access a person’s full medical record from anywhere in the UK. Yet you hardly ever need a full medical record in order to receive immediate treatment. If you arrive at Accident and Emergency so unwell that you can’t give your basic medical details, it’s unlikely you’d be able to give your name and date of birth either, so access to your computer health record wouldn’t be possible. The ideal may be to use something like medi-alert bracelts, where specific health information — say, about allergies or life-threatening conditions — is available no matter the state of the patient.

As is, the amount of information that the record plans to hold is so enormous that the record ceases to become clinically useful. So much of the data is simply administrative. But it also means that full — or almost full — medical records become accessible to just about anyone working in the NHS (and note, there are 1.3 million people employed in it).

The new records will be opt-out, rather than opt-in, which I think is immoral. There has there been no decent reassurance from the government that standards of confidentiality in medical records will be upheld. I think Anderson’s concerns are justified — and you can start the process of opting out of central systems by making your wishes known to your GP surgery.

Margaret McCartney’s Blog

This blog is no longer updated but it remains open as an archive.

A forum on healthcare policy and professional issues, by Glasgow-based GP and FT Weekend columnist Margaret McCartney.

FT Blogs